freeipa/VERSION.m4

153 lines
6.8 KiB
Plaintext
Raw Normal View History

########################################################
# FreeIPA Version #
# #
# FreeIPA versions are as follows #
# 1.0.x New production series #
# 1.0.x{alpha,beta,rc}y Alpha/Preview/Testing, Beta, #
# Release Candidate #
# 1.0.0.dev20170102030405+gitabcdefg Build from GIT #
# #
########################################################
########################################################
# This are the main version numbers #
# #
# <MAJOR>.<MINOR>.<RELEASE> #
# #
# e.g. define(IPA_VERSION_MAJOR, 1) #
# define(IPA_VERSION_MINOR, 0) #
# define(IPA_VERSION_RELEASE, 0) #
# -> "1.0.0" #
########################################################
define(IPA_VERSION_MAJOR, 4)
define(IPA_VERSION_MINOR, 11)
2019-07-03 01:29:22 -05:00
define(IPA_VERSION_RELEASE, 0)
########################################################
# For 'pre' releases the version will be #
# #
# <MAJOR>.<MINOR>.<RELEASE><PRE_RELEASE> #
# #
# pre releases start with RELEASE 90. After pre1 has #
# been released, RELEASE is bumpled to 91, and so on #
# #
# e.g. define(IPA_VERSION_PRE_RELEASE, rc1) #
# -> "1.0.0rc1" #
########################################################
define(IPA_VERSION_PRE_RELEASE, )
########################################################
# To mark GIT snapshots this should be set to 'yes' #
# in the development BRANCH, and set to 'no' only in #
# the IPA_X_X_RELEASE BRANCH #
# #
# <MAJOR>.<MINOR>.<RELEASE>.dev<TIMESTAMP>+git<hash> #
# #
# e.g. define(IPA_VERSION_IS_GIT_SNAPSHOT, yes) #
# -> "1.0.0.dev20170102030405+gitabcdefg" #
# #
# This option works only with GNU m4: #
# it requires esyscmd m4 macro. #
########################################################
define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
########################################################
# git development branch: #
# #
# - master: define(IPA_GIT_BRANCH, master) #
# - ipa-X-X: define(IPA_GIT_BRANCH, #
# ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR) #
########################################################
define(IPA_GIT_BRANCH, master)
dnl define(IPA_GIT_BRANCH, ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)
########################################################
# The version of IPA data. This is used to identify #
# incompatibilities in data that could cause issues #
# with replication. If the built-in versions don't #
# match exactly then replication will fail. #
# #
# The format is %Y%m%d%H%M%S #
# #
# e.g. define(IPA_DATA_VERSION, 20100614120000) #
# -> "20100614120000" #
########################################################
define(IPA_DATA_VERSION, 20100614120000)
########################################################
# The version of the IPA API. This controls which #
# client versions can use the XML-RPC and json APIs #
# #
# A change to existing API requires a MAJOR version #
# update. The addition of new API bumps the MINOR #
# version. #
# #
# The format is a whole number #
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
# Last change: add passkey support
define(IPA_API_VERSION_MINOR, 253)
########################################################
# Following values are auto-generated from values above
# That way m4 madness lies
########################################################
########################################################
# IPA_NUM_VERSION is auto-generated
# format suitable for aritmetical comparison.
########################################################
dnl for some reason AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
dnl does not work when we use macro "format" instead of "esyscmd"
define(IPA_NUM_VERSION, esyscmd(printf "%d%02d%02d" IPA_VERSION_MAJOR IPA_VERSION_MINOR IPA_VERSION_RELEASE))
########################################################
# IPA_API_VERSION: format is APImajor.APIminor
########################################################
define(IPA_API_VERSION, IPA_API_VERSION_MAJOR.IPA_API_VERSION_MINOR)
########################################################
# IPA_VERSION is one string formated according to rules
# described on top of this file
########################################################
dnl helper for translit in IPA_VERSION
define(NEWLINE,`
')
dnl Git snapshot: dev20170102030405+gitabcdefg
define(IPA_GIT_VERSION, translit(dnl remove new lines from version (from esyscmd)
ifelse(IPA_VERSION_IS_GIT_SNAPSHOT, yes,dnl
dev
esyscmd(date -u +'%Y%m%d%H%M')dnl 20170102030405
+git
esyscmd(git log -1 --format="%h" HEAD),dnl abcdefg
), NEWLINE))
dnl IPA_GIT_VERSION end
define(IPA_VERSION, translit(dnl remove new lines from version (from esyscmd)
dnl 1.0.0
IPA_VERSION_MAJOR.IPA_VERSION_MINOR.IPA_VERSION_RELEASE
IPA_VERSION_PRE_RELEASE
dnl version with Git snapshot: 1.0.0.dev20170102030405+gitabcdefg
ifelse(IPA_VERSION_IS_GIT_SNAPSHOT, yes,
.
IPA_GIT_VERSION),
NEWLINE)) dnl IPA_VERSION end
Tolerate absence of PAC ticket signature depending of server capabilities Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-07 10:04:06 -05:00
########################################################
# Version of MIT krb5 used to build IPA
########################################################
define(IPA_KRB5_BUILD_VERSION, translit(esyscmd(krb5-config --version | awk '{ print $NF }'), NEWLINE))
dnl DEBUG: uncomment following lines and run command m4 VERSION.m4
dnl `IPA_VERSION: ''IPA_VERSION'
dnl `IPA_GIT_VERSION: ''IPA_GIT_VERSION'
2018-03-16 11:44:32 -05:00
dnl `IPA_GIT_BRANCH: ''IPA_GIT_BRANCH'
dnl `IPA_API_VERSION: ''IPA_API_VERSION'
dnl `IPA_DATA_VERSION: ''IPA_DATA_VERSION'
dnl `IPA_NUM_VERSION: ''IPA_NUM_VERSION'
Tolerate absence of PAC ticket signature depending of server capabilities Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-07 10:04:06 -05:00
dnl `IPA_KRB5_BUILD_VERSION: ''IPA_KRB5_BUILD_VERSION'