[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 170 commits: Back to git snapshots

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Jun 7 12:51:10 BST 2023



Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa


Commits:
657a7b25 by Antonio Torres at 2022-11-24T17:13:36+01:00
Back to git snapshots

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
42957f9e by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00
API reference: update vault doc

Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).

Related: https://pagure.io/freeipa/issue/9259

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
660da9ab by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00
API reference: update dnszone_add generated doc

Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)

Related: https://pagure.io/freeipa/issue/9249

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
42be04fe by Alexander Bokovoy at 2022-11-28T18:53:51+01:00
updates: fix memberManager ACI to allow managers from a specified group

The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.

Remove old ACI and add a full one during upgrade step.

Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
aeb9cc9b by Florence Blanc-Renaud at 2022-12-02T10:18:16+01:00
PRCI: update memory reqs for each topology

The memory requirements are defined in the vagrant templates in
https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles

They have been updated and the corresponding values must be kept
consistent in the topologies for PRCI.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
c411c2e7 by Florence Blanc-Renaud at 2022-12-02T10:32:34+01:00
webui tests: fix assertion in test_subid.py

The test wants to check the error related to an
exception obtained inside a "with pytest.raises" instruction.
The object is an ExceptionInfo and offers a match method
to check the content of the string representation.
Use this match() method instead of str(excinfo) which now
returns
'<ExceptionInfo NoSuchElementException() tblen=10>'

Fixes: https://pagure.io/freeipa/issue/9282

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
8e7d1ac4 by Christian Heimes at 2022-12-02T13:28:04+01:00
ipa-certupdate: Update client certs before KDC/HTTPd restart

Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs.
`ipa-certupdate` now updates the file before it restarts HTTPd.

Fixes: https://pagure.io/freeipa/issue/9285
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a10627bd by Antonio Torres at 2022-12-02T14:24:05+01:00
API doc: add basic user management guide

Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2d0a0cc4 by Florence Blanc-Renaud at 2022-12-02T15:27:22+01:00
Spec file: ipa-client depends on krb5-pkinit-openssl

Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.

Fixes: https://pagure.io/freeipa/issue/9290

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9599e975 by Florence Blanc-Renaud at 2022-12-14T15:44:46+01:00
ipatests: xfail on all fedora for test_ipa_login_with_sso_user

With the new fedora36 vagrant image, the test is also failing.
Mark xfail for all fedora versions.
Related: https://pagure.io/freeipa/issue/9264

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Scott Poore <spoore at redhat.com>

- - - - -
65a14a36 by Sudhir Menon at 2022-12-19T11:53:10+01:00
Fixes: ipa-otpd at .service: deprecated syslog setting

This patch updates the deprecated syslog setting i.e
StandardError=syslog with StandardError=journal

Pagure: https://pagure.io/freeipa/issue/9279
Ref: https://github.com/systemd/systemd/pull/15812

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
68f6574c by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00
ipatests: update the fake fips mode expected message

The test ipatests/test_integration/test_fips.py is faking
FIPS mode and calls "openssl md5" to ensure the algo is
not available in the fake FIPS mode.

The error message has been updated with openssl-3.0.5-5.
In the past the command used to return:
$ openssl md5 /dev/null
Error setting digest
140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147:

And now it returns:
$ openssl md5 /dev/null
Error setting digest
00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:

To be compatible with all versions, only check the common part:
Error setting digest

Mark the test as xfail since installation is currently not working.

Related: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c853cfde by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00
cert utilities: MAC verification is incompatible with FIPS mode

The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dfba6ebf by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00
FIPS setup: fix typo filtering camellia encryption

The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.

Fix the typo (camelia vs camellia) in order to filter properly.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2904b15a by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00
Spec file: bump krb5_kdb_version on rawhide

fedora 38 now uses krb5 1.20.1 which provides
krb5_kdb_version 9.0 instead of 8.0

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
30497892 by Florence Blanc-Renaud at 2022-12-20T17:06:20+01:00
ipatests: update the xfail annotation for test_number_of_zones

The test is failing on fedora 36+, update and simplify the
xfail condition.

Related: https://pagure.io/freeipa/issue/9135

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
782873a2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
azure tests: move to fedora 37

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
fd212045 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: remove unneeded disable=unused-private-member

pylint fixed issue https://github.com/PyCQA/pylint/issues/4756
and we don't need anymore to disable this check.

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
51e0f751 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: remove useless suppression

The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
240b46db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable redefined-slots-in-subclass

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
081dd263 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable used-before-assignment

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
328fb642 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: replace deprecated distutils module

PEP 632 deprecates the distutils module. Replace
- distutils.spawn.find_executable with shutil.which
- distutils.log with logging

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
ac69ad4b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable modified-iterating-list

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
22f182ee by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: remove arguments-renamed warnings

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
5434c12b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable using-constant-test

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
3336236f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable unnecessary-dunder-call message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
2b97c8ca by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: globally disable unnecessary-lambda-assignment message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
84c4792b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable missing-timeout message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
71496be7 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: fix implicit-str-concat

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
b9ea3fcb by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: fix duplicate-value

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
433599fd by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: fix deprecated-class SafeConfigParser

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a95e11db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable invalid-sequence-index

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
07111438 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable unhashable-member

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
4e998848 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: globally disable useless-object-inheritance

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
3d211b4f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: fix consider-iterating-dictionary

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
015e25a5 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable comparison-of-constants

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
62e2d111 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: fix comparison-of-constants

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
85037db2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00
pylint: disable deprecated-module message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
d673fdab by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Lint in single process mode

There are several known problems with multiprocess mode.
For example, https://github.com/PyCQA/pylint/issues/3232.

In other words the lint result depends on the number of jobs.
The most correct report is expected for single process.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
f9822697 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: More allowed C extensions

Fixes:
```
[E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree'
[E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur'
```

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
68ab438f by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Replace deprecated extension-pkg-whitelist

`extension-pkg-whitelist` is deprecated in favour of
`extension-pkg-allow-list` since Pylint 2.7.3:
https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
c48c76e9 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix cyclic-import

Most of `cyclic-import` issues reported by Pylint are false-positive
and they are already handled in the code, but several ones are the
actual errors.

Fixes: https://pagure.io/freeipa/issue/9232
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
1261bbf0 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Replace deprecated pipes

`pipes` module is deprecated as of Python 3.11.
https://docs.python.org/3/library/pipes.html#module-pipes:
> Deprecated since version 3.11, will be removed in version 3.13: The
  pipes module is deprecated (see PEP 594 for details).

IPA code used only `quote` function from `pipes` that in turn is
the alias for `shlex.quote` since Python 3.3:
https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
b1237656 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix used-before-assignment

> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
acc2daf2 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix modified-iterating-list

https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html:
> Emitted when items are added or removed to a list being iterated
through. Doing so can result in unexpected behaviour, that is why it is
preferred to use a copy of the list.

https://docs.python.org/3/tutorial/controlflow.html#for-statements:
> Code that modifies a collection while iterating over that same
collection can be tricky to get right. Instead, it is usually more
straight-forward to loop over a copy of the collection or to create a
new collection

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
dc8c8a78 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix unnecessary-lambda-assignment

https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html:
> Used when a lambda expression is assigned to variable rather than
defining a standard function with the "def" keyword.

https://peps.python.org/pep-0008/#programming-recommendations:
> Always use a def statement instead of an assignment statement that
binds a lambda expression directly to an identifier:
def f(x): return 2*x
f = lambda x: 2*x
The first form means that the name of the resulting function object is
specifically ‘f’ instead of the generic ‘<lambda>’. This is more useful
for tracebacks and string representations in general. The use of the
assignment statement eliminates the sole benefit a lambda expression can
offer over an explicit def statement (i.e. that it can be embedded
inside a larger expression)

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
bd7b5bf7 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix unhashable-member

https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html:
> Emitted when a dict key or set member is not hashable (i.e. doesn't
define __hash__ method).

https://docs.python.org/3/library/stdtypes.html#dict.update:
> Update the dictionary with the key/value pairs from other, overwriting
existing keys. Return None.
update() accepts either another dictionary object or an iterable of
key/value pairs (as tuples or other iterables of length two). If keyword
arguments are specified, the dictionary is then updated with those
key/value pairs: d.update(red=1, blue=2).

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
bccd3c94 by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Fix useless-object-inheritance

https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html:
> Used when a class inherit from object, which under python3 is
implicit, hence can be safely removed from bases.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
2009889d by Stanislav Levin at 2023-01-10T10:11:45+01:00
pylint: Replace deprecated cgi module

https://docs.python.org/3/library/cgi.html#module-cgi:
> Deprecated since version 3.11, will be removed in version 3.13: The
cgi module is deprecated (see PEP 594 for details and alternatives).

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
b5f2b0b1 by Florence Blanc-Renaud at 2023-01-11T12:55:04+01:00
ipatests: mark test_smb as xfail

Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.

Related: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
894dca12 by Florence Blanc-Renaud at 2023-01-16T08:40:16+01:00
server install: remove error log about missing bkup file

The client installer code can be called in 3 different ways:
- from ipa-client-install CLI
- from ipa-replica-install CLI if the client is not already installed
- from ipa-server-install

In the last case, the client installer is called with
options.on_master=True
As a result, it's skipping the part that is creating the krb5
configuration:
    if not options.on_master:
        nolog = tuple()
        configure_krb5_conf(...)

The configure_krb5_conf method is the place where the krb5.conf file is
backup'ed with the extention ".ipabkp". For a master installation, this
code is not called and the ipabkp file does not exist => delete raises
an error.

When delete fails because the file does not exist, no need to log an
error message.

Fixes: https://pagure.io/freeipa/issue/9306
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0fa95852 by Florence Blanc-Renaud at 2023-01-17T14:53:35+01:00
Tests: force key type in ACME tests

PKI can issue ACME certs only when the key type is rsa.

With version 2.0.0, certbot defaults to ecdsa key type,
and this causes test failures.
For now, force rsa when requesting an ACME certificate.
This change can be reverted when PKI fixes the issue
on their side (https://github.com/dogtagpki/pki/issues/4273)

Related: https://pagure.io/freeipa/issue/9298
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7d1a3585 by Florence Blanc-Renaud at 2023-01-17T22:42:25+01:00
Installer: create RID base before domain object

The installer is currently creating the samba domain object
before it adds the RID base and secondary RID base. As a consequence,
there is a window during which the sidgen plugin is active but
unable to generate SIDs (it requires the samba domain object to
find the domain SID and RID base to know where to start from).
There is no direct impact except the error log of 389ds that reports
ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.

This fix configures the RID base and secondary RID base before the
domain object is created, thus removing this window.

Fixes: https://pagure.io/freeipa/issue/9309
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2520a7ad by Filip Dvorak at 2023-01-20T10:02:02+01:00
ipa tests: Add LANG before kinit command to fix issue with locale settings

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
364116c2 by Antonio Torres at 2023-01-24T14:54:37+01:00
API doc: validate generated reference

Extend 'makeapi --validate' to validate API Reference files too. If
differences are found between the generated and stored docs the
validation fails. This command is executed in our Azure pipelines, so
every time a developer opens a PR but forgets to update the API
Reference, the CI will fail.

Fixes: https://pagure.io/freeipa/issue/9287
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0e06786a by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00
Spec file: unify with RHEL9 spec

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
2a69d056 by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00
Spec file: use %autosetup instead of %setup

This change fixes rpminspect issues reported when building
for RHEL, like the following one:

Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.

Waiver Authorization: Anyone

Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file.  It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros.  You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section).  The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file.  So Patch47
is applied with a %patch47 macro.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
97fc368d by Florence Blanc-Renaud at 2023-01-25T13:45:53-05:00
trust-add: handle missing msSFU30MaxGidNumber

When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.

msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.

To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.

Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
51b1c22d by Rob Crittenden at 2023-01-27T13:00:22+01:00
doc: Design for certificate pruning

This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
1be3188e by Stanislav Levin at 2023-01-31T11:21:34+01:00
ipatests: healthcheck: Handle missing fips-mode-setup

freeipa-healthcheck prechecks existance of `fips-mode-setup` and
reports if it's missing:
> "fips": "missing /bin/fips-mode-setup"

Fixes: https://pagure.io/freeipa/issue/9315
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fb22c8e5 by Stanislav Levin at 2023-02-01T10:54:12+01:00
spec: Drop no longer used build dependency on paste

With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced
with `werkzeug`.

https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
  github. Patches are accepted to keep it on life support, but for the
  most part, please consider using other options.

Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ff31b0c4 by Rob Crittenden at 2023-02-01T17:47:26+01:00
tests: Add ipa_ca_name checking to DNS system records

freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.

Related: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6ca11968 by Rob Crittenden at 2023-02-01T17:47:26+01:00
tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck

freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.

Fixes: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
d662b125 by Stanislav Levin at 2023-02-02T07:31:15+01:00
tests: Configure DNSResolver as platform agnostic resolver

Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver`
unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf`
or this file may not contain any configured name servers.

`TestDNSResolver` unit tests check only customized `nameservers`
property and should not depend on existence of `/etc/resolv.conf`.

Resolver accepts `configure` option.
https://dnspython.readthedocs.io/en/latest/resolver-class.html :
> configure, a bool. If True (the default), the resolver instance is
  configured in the normal fashion for the operating system the resolver
  is running on. (I.e. by reading a /etc/resolv.conf file on POSIX
  systems and from the registry on Windows systems.)

Fixes: https://pagure.io/freeipa/issue/9319
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9246a8a0 by Rob Crittenden at 2023-02-02T13:42:57+01:00
ipa-acme-manage: add certificate/request pruning management

Configures PKI to remove expired certificates and non-resolved
requests on a schedule.

This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.

Random Serial Numbers v3 must be enabled for this to work.

Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.

Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.

A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.

The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.

No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.

Fixes: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden rcritten at redhat.com
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f10d1a0f by Rob Crittenden at 2023-02-02T13:42:57+01:00
doc: add the --run command for manual job execution

A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.

Import the IPA CA chain for manual execution.

Also fix up some $ -> # to indicate root is needed.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2857bc69 by Florence Blanc-Renaud at 2023-02-02T15:21:25+01:00
automember-rebuild: add a notice about high CPU usage

The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.

Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
1a965a3a by David Pascual at 2023-02-04T17:14:08+01:00
ipatests: fix (prci_checker) duplicated check & error return code

Fix 1: timeout field was being checked twice and did not return fail code on error

Fix 2: Tool did not return error code on single file check unsuccessful run

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d24b6998 by Rob Crittenden at 2023-02-05T10:31:19+01:00
tests: add wrapper around ACME RSNv3 test

This test is located outside of the TestACMEPrune because
it enables RSNv3 while the server installed by TestACME doesn't.

It still needs a wrapper to enforce a version of PKI that
supports pruning because that is checked first in the tool.
Re-ordering that wouldn't be a good user experience.

https://pagure.io/freeipa/issue/9322

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a20acb6f by Antonio Torres at 2023-02-08T11:44:01+01:00
API doc: add note about ipa show-mappings to usage guide

As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a786d3d5 by Chris Kelley at 2023-02-09T14:52:33-05:00
Check that CADogtagCertsConfigCheck can handle cert renewal

Renewal causes two certs to have the same nickname. Dogtag is
patched to allow for N certs with the same nickname, and this test
is to verify that CADogtagCertsConfigCheck still passes.

Related: https://github.com/dogtagpki/pki/pull/4285
Signed-off-by: Chris Kelley <ckelley at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
649c35aa by Antonio Torres at 2023-02-09T16:12:56-05:00
API doc: add usage guides for groups, HBAC and sudo rules

Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
20ff7c16 by Rob Crittenden at 2023-02-09T21:46:16-05:00
Fix setting values of 0 in ACME pruning

Replace comparisons of "if value" with "if value is not None"
in order to handle 0.

Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.

Also indicate that the search time limit is in seconds.

Fixes: https://pagure.io/freeipa/issue/9325

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
4e0ad96f by Rob Crittenden at 2023-02-09T21:48:55-05:00
Wipe the ipa-ca DNS record when updating system records

If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.

This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.

Fixes: https://pagure.io/freeipa/issue/9195

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0206369e by Alexander Bokovoy at 2023-02-09T21:51:43-05:00
ipa-kdb: PAC consistency checker needs to handle child domains as well

When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a6cb905d by Anuja More at 2023-02-09T21:51:43-05:00
Add test for SSH with GSSAPI auth.

Added test for aduser with GSSAPI authentication.

Related : https://pagure.io/freeipa/issue/9316

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0f77b359 by Mohammad Rizwan at 2023-02-13T17:33:14-05:00
ipatests: tests for certificate pruning

1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
450e78f5 by Stanislav Levin at 2023-02-17T18:13:44+01:00
tests: webui: Allow file access from files in tests

https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
  override for developers who need the old behavior for testing.

Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
425cad6f by Stanislav Levin at 2023-02-17T18:13:44+01:00
tests: webui: Load qunit only once

webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html

>> Error: Error: QUnit has already been defined.
>>     at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2

>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>>     at <anonymous>:175:24
>>     at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>>     at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>>     at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>>     at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>>     at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>>     at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>>     at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```

Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
  dojo.require will simply return if the package is already loaded.

See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8fe8b262 by Stanislav Levin at 2023-02-17T18:13:44+01:00
AP: webui: List installed nodejs packages

It's helpful for debugging regressions.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9b8e8edc by Stanislav Levin at 2023-02-17T18:13:44+01:00
tests: webui: Update vendored qunit

Updated qunit to latest supported version from
https://code.jquery.com/qunit.

See https://qunitjs.com/intro/#release-channels for details.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
41c32174 by David Pascual at 2023-02-20T08:12:20+01:00
doc: Use case examples for PR-CI checker tool

This document showcases common usecases for the user to
interact with the PR-CI checker tool.

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
88b9be29 by mbhalodi at 2023-02-20T08:17:08+01:00
ipatests: ensure that ipa automember-rebuild prints a warning

ipa automember-rebuild now prints a warning about CPU usage.
Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2a2132cc by Anuja More at 2023-02-20T16:42:29+01:00
PRCI: update test_trust.py for nightly pipelines.

test_integration/test_trust.py is divided into two parts.
1: class TestTrust
2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
fe13baa0 by Rob Crittenden at 2023-02-21T08:18:07+01:00
doc: Update pruning design with implement enable/disable options

Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.

So --enable=TRUE to --enable and --enable=FALSE to --disable

Fixes: https://pagure.io/freeipa/issue/9323

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e7c642ba by Mohammad Rizwan at 2023-02-22T09:11:24+01:00
ipatests: fix tests in TestACMEPrune

When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.

Second fix is related to mismatch of confing setting and corresponding
assert.

Third fix is related to extending time by 60 minutes to properly
expire the certs.

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
cd07413c by mbhalodi at 2023-02-22T15:43:23+01:00
ipatests: WebUI - ensure that ipa automember-rebuild prints a warning

ipa automember-rebuild now prints a warning about CPU usage
in the WebUI. Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
0a8a3922 by Florence Blanc-Renaud at 2023-02-23T07:43:05+01:00
ipatests: increase timeout for test_acme

The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.

Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).

Also create a separate job for the new test TestACMEPrune.

Fixes: https://pagure.io/freeipa/issue/9324

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a94f7bbf by Timo Aaltonen at 2023-02-27T12:09:25+02:00
copyright, watch: Filter prebuilt html documentation from the tarball.

- - - - -
b0af80ed by Timo Aaltonen at 2023-02-27T12:09:42+02:00
tests: Dump journalctl on fail

- - - - -
7dbd5758 by Timo Aaltonen at 2023-02-27T12:10:28+02:00
fix-ldap-so-path.diff: Specify the path to ldap.so again, and use multiarch path.

- - - - -
8ab6fd30 by Timo Aaltonen at 2023-02-27T12:10:40+02:00
tests: Dump journalctl for select services

- - - - -
88039385 by Christian Heimes at 2023-03-01T04:58:45+01:00
Don't block when kinit_pkinit() fails

Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.

`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.

Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6a4d34fb by Carla Martinez at 2023-03-03T04:55:48+01:00
Update 'Auth indicators' doc string

The doc string located in the 'Authentication
indicators' ('Services' settings page) was
missing the usage explanation for the 'ipd'
checkbox option.

Fixes: https://pagure.io/freeipa/issue/9338
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b152e8c3 by Stanislav Levin at 2023-03-03T05:01:33+01:00
dns: Fix support for dnspython 1.1x

`nameservers` was transformed into the property in dnspython 2:
https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74

This causes
> AttributeError: type object 'Resolver' has no attribute 'nameservers'
on the previous dnspython 1.1x.

Fixes: https://pagure.io/freeipa/issue/9339
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e3507563 by Rafael Guterres Jeffman at 2023-03-03T05:04:31+01:00
Migrated to SPDX license.

According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.

[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1

Fixes: https://pagure.io/freeipa/issue/9342

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9323bafb by Thorsten Scherf at 2023-03-07T13:19:54+01:00
external-idp: change idp server name to reference name

When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
34d048ed by Florence Blanc-Renaud at 2023-03-14T17:50:25+01:00
ipatests: adapt for new automembership fixup behavior

The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.

Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
983a6516 by Anuja More at 2023-03-15T09:34:33+01:00
ipatests: Test ipa-advise is not failing with error.

The ipa-advise command should not fail
with error in command.

Related: https://pagure.io/freeipa/issue/6044

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>

- - - - -
e1f4f655 by Erik Belko at 2023-03-15T18:30:08+01:00
ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario

Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286

Also added some generally helpful functions to tasks.py

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
b93f6b52 by Alexander Bokovoy at 2023-03-22T13:59:40+01:00
Don't fail if optional RPM macros file is missing

With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
84f5f87b by Alexander Bokovoy at 2023-03-22T13:59:40+01:00
Use system-wide chromium for webui tests

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
aacaafce by Alexander Bokovoy at 2023-03-22T13:59:40+01:00
Fix tox in Azure CI

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
051bbe36 by Anuja More at 2023-03-23T09:08:06+01:00
ipatests: Test that non admin user can search hbac rule.

Related : https://pagure.io/freeipa/issue/5130

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b1b7cbc0 by Antonio Torres at 2023-03-23T17:12:01+01:00
ipaserver: deepcopy objectclasses list from IPA config

We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.

Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
e07ead94 by Alexander Bokovoy at 2023-03-30T08:11:22+02:00
ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by

Added in Python Cryptography 40.0
Thanks to @tiran for the code

Fixes: https://pagure.io/freeipa/issue/9355

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
ae014c6a by Florence Blanc-Renaud at 2023-03-30T14:57:57+02:00
ipatests: increase timeout for test_trust

The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
3eed25e9 by Antonio Torres at 2023-03-30T15:49:45+02:00
doc: allow notes on Param API Reference pages

The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
54026270 by Stanislav Levin at 2023-03-30T16:16:42+02:00
fastlint: Correct concatenation of file lists

`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.

Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments

Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
def07260 by Florence Blanc-Renaud at 2023-04-05T09:27:45+02:00
ipatests: fix test definition for test_trust

The nightly test test_trust.py has been split into 2 jobs,
one for test_trust.py::TestTrust (test_trust) and the other
for the remaining test classes from the same file
(test_trust_autoprivate).

The backport forgot to narrow down the first job definition
to the class test_trust.py::TestTrust in the 4-10_previous
pipeline. Fix this omission.

Related: https://pagure.io/freeipa/issue/9326
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
6db9bbd8 by mbhalodi at 2023-04-05T09:40:25+02:00
ipatests: add missing automember-cli tests

Revisit the bash tests and port the valid
tests to upstream.

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
03180bed by Jarl Gullberg at 2023-04-05T09:50:08+02:00
ipaplatform/debian: fix path to ldap.so

bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.

This fixes the default path to use the appropriate location in its
multiarch-qualified path.

Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com>

- - - - -
1b38ab17 by Jarl Gullberg at 2023-04-05T09:52:52+02:00
install: Fix missing dyndb keytab directive

bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.

This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.

Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e7506403 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
Ignore empty modification error in case cifs/.. principal already added

Constrained delegation target may already be configured by default.

Related: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
52e6da90 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
test_xmlrpc: adopt to automember plugin message changes in 389-ds

Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7a7ba45c by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only

Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.

Related: https://pagure.io/freeipa/issue/5444

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
18cd909b by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
doc: add design document for Kerberos constrained delegation

FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.

Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.

This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5b6ad0e6 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
IPA API changes to support RBCD

IPA API commands to manage RBCD access controls.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7ac6adfa by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
kdb: implement RBCD handling in KDB driver

Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.

The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.

The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7d68f4f0 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
RBCD: add basic test for RBCD handling

Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.

Run RBCD check when the rule exists and when the rule is removed.

Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b63e6a25 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
doc/designs/rbcd.md: add usage examples

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cb18ca31 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00
doc/designs/rbcd.md: document use of S-1-18-* SIDs

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9c6b4f44 by Antonio Torres at 2023-04-06T17:36:18+02:00
Extend API documentation

This includes:

* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
  permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
304fd550 by mbhalodi at 2023-04-13T10:51:52+02:00
ipatests: Test for sequence processing failures with server context

1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.

Related: https://pagure.io/freeipa/issue/9349

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
e2b08433 by Florence Blanc-Renaud at 2023-04-17T15:17:00-04:00
ipatests: mark known failures for autoprivategroup

Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d63756eb by Christian Heimes at 2023-04-18T12:12:47+02:00
Speed up installer by restarting DS after DNA plugin

DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.

DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.

Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3b64eaa1 by Todd Zullinger at 2023-04-18T15:24:43+02:00
spec: verify upstream source signature

Per the Fedora packaging guidelines¹.

The GPG key was generated using details found on the wiki².  The
following commands can be used to fetch the signing key via fingerprint
and extract it:

    fpr=0E63D716D76AC080A4A33513F40800B6298EB963
    gpg --keyserver keys.openpgp.org --receive-keys $fpr
    gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc

¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
90d0f049 by Todd Zullinger at 2023-04-18T15:24:43+02:00
spec: silence krb5 pkgconf errors in %krb5_base_version

Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:

    Package krb5 was not found in the pkg-config search path.
    Perhaps you should add the directory containing `krb5.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'krb5', required by 'virtual:world', not found

`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build.  It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1f10aebc by Michal Polovka at 2023-04-20T12:57:32+02:00
ipatest: loginscreen: do not use hardcoded password

Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.

https://pagure.io/freeipa/issue/9226

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Erik Belko <ebelko at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e2576670 by Rob Crittenden at 2023-04-27T11:17:47-04:00
Enforce sizelimit in cert-find

The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.

A value of 0 will retain old behavior and return all certificates.

The default value is the LDAP searchsizelimit.

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
50dd79d1 by Rob Crittenden at 2023-04-27T11:17:47-04:00
Use the OpenSSL certificate parser in cert-find

cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136

The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.

It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.

Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.

pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

CLI times from before and after:

original:

-------------------------------
Number of entries returned 5011
-------------------------------
real    0m21.155s
user    0m0.835s
sys     0m0.159s

using OpenSSL:

real    0m5.747s
user    0m0.864s
sys     0m0.148s

OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests.  See ipaserver/wsgi.py for the gory details.

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
bdb77a3d by Timo Aaltonen at 2023-04-28T09:51:56+02:00
Drop duplicate includedir from krb5.conf

SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.

Add also a dependency on sssd-krb5 for freeipa-client.

https://pagure.io/freeipa/issue/9267

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
918b6e01 by Florence Blanc-Renaud at 2023-04-29T13:49:09+02:00
cert_find: fix call with --all

When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3d787c21 by Stanislav Levin at 2023-04-29T13:50:44+02:00
ipasphinx: Correct import of progress_message for Sphinx 6.1.0+

Pylint reports false-negative result for Sphinx 6.1.0+:

```
************* Module ipasphinx.ipabase
ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util')
```

Actually `sphinx.util.progress_message` is still available in Sphinx 6.1
but it's deprecated and will be removed in 8.0:
https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis

Related change:
https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab

Fixes: https://pagure.io/freeipa/issue/9361
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8a7c0683 by Rafael Guterres Jeffman at 2023-04-29T13:52:12+02:00
Fix "no entry" condition when searching PAC info

Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.

Fixes: https://pagure.io/freeipa/issue/9368

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
76c78827 by Sudhir Menon at 2023-04-29T13:55:57+02:00
ipatests: ipa-adtrust-install command test scenarios

This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.

test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1c43d914 by Alexander Bokovoy at 2023-05-04T10:52:40+02:00
Change doc theme to 'book'

RTD theam is not compatible with Sphinx 7.0+
https://github.com/readthedocs/readthedocs.org/issues/10279

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
717228c9 by Florence Blanc-Renaud at 2023-05-04T14:31:59+02:00
Nightly test: add +15min for test_ipahealthcheck

The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.

Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
846c267f by mbhalodi at 2023-05-04T16:12:25+02:00
ipatests: add remove automember condition tests

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
d95c4cf1 by Florence Blanc-Renaud at 2023-05-04T18:18:26+02:00
spec file: force nodejs < 20 on fedora < 39

On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.

Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.

Fixes: https://pagure.io/freeipa/issue/9374

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
16a81062 by s1341 at 2023-05-04T21:30:34+02:00
ipaplatform: add initial nixos support

Fixes: https://pagure.io/freeipa/issue/9299
Signed-off-by: Shmarya Rubenstein <github at shmarya.net>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3a9a5bda by Florence Blanc-Renaud at 2023-05-08T13:55:15-04:00
idview: improve performance of idview-show

The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser at ad.test.

The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.

Fixes: https://pagure.io/freeipa/issue/9372

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
12d1aafe by Florence Blanc-Renaud at 2023-05-11T13:47:46+02:00
Tests: test on f37 and f38

Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
bc394432 by Michal Polovka at 2023-05-16T17:32:14+02:00
ipatests: commands: Wait for the SSSD to become available

Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.

Fixes: https://pagure.io/freeipa/issue/9377

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
627c1101 by Florence Blanc-Renaud at 2023-05-16T14:37:21-04:00
azure tests: move to fedora 38

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
81a6b9ad by Rob Crittenden at 2023-05-16T16:23:47-04:00
Return the <Message> value cert-find failures from the CA

If a cert-find fails on the CA side we get a Message tag
containing a string describing the failure plus the java stack
trace. Pull out the first part of the message as defined by the
first colon and include that in the error message returned to
the user.

The new message will appear as:

$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)

vs the old generic message:

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)

This can be reproduced by setting nssizelimit to 100 on the
pkidbuser. The internal PKI search returns err=4 but the CA
tries to convert all values into certificates and it fails. The
value needs to be high enough that the CA can start but low
enough that you don't have to create hundreds of certificates
to demonstrate the issue.

https://pagure.io/freeipa/issue/9369

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
edcdcf83 by Mohammad Rizwan at 2023-05-22T08:02:30+02:00
ipatests: wait for sssd-kcm to settle after date change

In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.

Hence run kinit command repeatedly untill things get settle.

This patch removes the sleep and adds tasks.run_repeatedly()
method instead.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7830ab96 by Florence Blanc-Renaud at 2023-05-23T20:59:03+02:00
user or group name: explain the supported format

The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
58173c02 by Jerry James at 2023-05-24T14:08:45-04:00
Change fontawesome-fonts requires to match fontawesome 4.x

fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.

This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.

Signed-off-by: Jerry James <loganjerry at gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
abe71fe1 by Rob Crittenden at 2023-05-24T17:57:22-04:00
Mention in ipa-client-install that nscd is disabled

Also warn that similar services may also need to be disabled.
An example is an nscd replacement named unscd.

Fixes: https://pagure.io/freeipa/issue/9086

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a6f485fc by Florence Blanc-Renaud at 2023-05-25T08:32:59+02:00
ACME tests: fix issue_and_expire_acme_cert method

The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.

Fixes: https://pagure.io/freeipa/issue/9383

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
630cda5c by Julien Rische at 2023-06-01T08:01:00+02:00
kdb: Use krb5_pac_full_sign_compat() when available

In November 2022, Microsoft introduced a new PAC signature type called
"extended KDC signature" (or "full PAC checksum"). This new PAC
signature will be required by default by Active Directory in July 2023
for S4U requests, and opt-out will no longer be possible after October
2023.

Support for this new signature type was added to MIT krb5, but it relies
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
the code generating extended KDC signatures cannot be backported as it
is without backporting the full new KDB API code too. This would have
too much impact to be done.

As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
8 will include a downstream-only update adding the
krb5_pac_full_sign_compat() function, which can be used in combination
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.

Fixes: https://pagure.io/freeipa/issue/9373
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bbe545ff by Julien Rische at 2023-06-01T08:01:00+02:00
Tolerate absence of PAC ticket signature depending of server capabilities

Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.

However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.

This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.

On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.

This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.

This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.

For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.

Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.

Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7ea3b866 by Julien Rische at 2023-06-01T08:01:00+02:00
Filter out constrained delegation ACL from KDB entry

Commit f78dc0b163 was missing an exception for the constrained
delegation ACL TL data type during the principal entry update operation.
This ACL is not meant to be stored as encoded data in krbExtraData.

Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3d0decd9 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

>From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums.  If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer.  This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------

Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.

Fixes: https://pagure.io/freeipa/issue/9124

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
803a4477 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipa-kdb: protect against context corruption

Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.

Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.

Do not call any free() call because the whole context is corrupted as
tests do show.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
fefa0248 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipa-kdb: postpone ticket checksum configuration

Postpone ticket checksum configuration after KDB module was initialized.
This, in practice, should now happen when a master key is retrieved.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
bd8fcd6f by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipa-kdb: process out of realm server lookup during S4U

Kerberos principal aliases lookup had a long-standing TODO item to
support server referrals for host-based aliases. This commit implements
server referrals for hosts belonging to trusted domains. The use-case is
a part of S4U processing in a two-way trust when an IPA service requests
a ticket to a host in a trusted domain (e.g. service on AD DC). In such
situation, the server principal in TGS request will be a normal principal
in our domain and KDC needs to respond with a server referral. This
referral can be issued by a KDB driver or by the KDC itself, using
'domain_realms' section of krb5.conf. Since KDB knows all suffixes
associated with the trusted domains, implement the logic there.

Fixes: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
1b55e9b1 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipa-kdb: skip verification of PAC full checksum

MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.

This should have no functional difference.

Related: https://pagure.io/freeipa/issue/9371

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
11ce2b21 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00
ipalib/x509.py: Add signature_algorithm_parameters

Python-cryptography 41.0.0 new abstract method.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
325a1319 by Rob Crittenden at 2023-06-02T10:00:57+02:00
Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3

Only three remaining scripts used this form, two of which are
for developers only and not shipped.

The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.

Fixes: https://pagure.io/freeipa/issue/8941

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
f2b821ab by Alexander Bokovoy at 2023-06-02T16:01:41-04:00
ipa-kdb: be compatible with krb5 1.19 when checking for server referral

Related: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
58017abe by Rob Crittenden at 2023-06-02T18:30:08-04:00
Don't allow a group to be converted to POSIX and external

This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.

Fixes: https://pagure.io/freeipa/issue/8990

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
283f5463 by Florence Blanc-Renaud at 2023-06-05T14:00:17+02:00
ipatest: remove xfail from test_smb

test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.

Remove the xfail.

Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
e3797ca2 by Antonio Torres at 2023-06-06T09:40:38+02:00
Update translations to FreeIPA ipa-4-10 state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
03b92fb4 by Antonio Torres at 2023-06-06T09:43:34+02:00
Update list of contributors

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
2fd9cbbe by Antonio Torres at 2023-06-06T10:01:01+02:00
Become IPA 4.10.2

- - - - -
1099db0f by Timo Aaltonen at 2023-06-07T14:46:19+03:00
Merge branch 'upstream'

- - - - -
f52e2b0a by Timo Aaltonen at 2023-06-07T14:46:39+03:00
version bump

- - - - -
78ec5308 by Timo Aaltonen at 2023-06-07T14:49:16+03:00
drop upstreamed patches

- - - - -


30 changed files:

- .wheelconstraints.in
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/man/ipa-client-install.1
- configure.ac
- contrib/lite-server.py
- contrib/lite-setup.py
- daemons/dnssec/ipa-dnskeysyncd.in
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_common.c
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_mspac_v6.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-otpd/ipa-otpd at .service.in
- debian/changelog
- debian/copyright
- − debian/patches/install-fix-missing-dyndb-keytab-directive.diff
- debian/patches/series
- debian/tests/server-install
- debian/watch
- doc/api/A6Record.md
- doc/api/AAAARecord.md
- doc/api/AFSDBRecord.md
- doc/api/APLRecord.md
- doc/api/ARecord.md


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2da091cd0e848d5d533ff85334ed1976014b28c1...78ec530871875bf4a94c49df01a4a1e145fc006f

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2da091cd0e848d5d533ff85334ed1976014b28c1...78ec530871875bf4a94c49df01a4a1e145fc006f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230607/e52a36ba/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list