update patches

debian/changelog

@@ -1,3 +1,10 @@
+freeipa (3.4~git20140617-1) UNRELEASED; urgency=medium
+
+  * git snapshot.
+    - drop a bunch of patches, update others.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com>  Tue, 17 Jun 2014 16:09:16 +0300
+
 freeipa (3.3.4-1) UNRELEASED; urgency=low
 
   [ Michele Baldessari ]

debian/patches/add-debian-platform.diff

@@ -196,13 +196,331 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +                services[s] = debian_service(s)
 +        # Call base class constructor. This will lock services to read-only
 +        super(DebianServices, self).__init__(services)
---- a/ipapython/setup.py.in
+--- /dev/null
-+++ b/ipapython/setup.py.in
++++ b/ipaplatform/debian/__init__.py
-@@ -68,6 +68,7 @@ def setup_package():
+@@ -0,0 +1,22 @@
-             packages = [ "ipapython",
++# Authors:
-                          "ipapython.platform",
++#   Timo Aaltonen <tjaalton@ubuntu.com>
-                          "ipapython.platform.base",
++#
-+                         "ipapython.platform.debian",
++# Copyright (C) 2014 Timo Aaltonen
-                          "ipapython.platform.fedora16",
++# see file 'COPYING' for use and warranty information
-                          "ipapython.platform.fedora18",
++#
-                          "ipapython.platform.redhat" ],
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This module contains Debian specific platform files.
++"""
+--- /dev/null
++++ b/ipaplatform/debian/authconfig.py
+@@ -0,0 +1,51 @@
++# Authors:
++#   Timo Aaltonen <tjaalton@ubuntu.com>
++#
++# Copyright (C) 2014 Timo Aaltonen
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++from ipapython import ipautil
++from ipaplatform.base.authconfig import AuthConfig
++
++class DebianAuthConfig(base.AuthConfig):
++    """
++    Debian implementation of the AuthConfig class.
++
++    Debian doesn't provide a single application for changing both
++    nss and pam configuration. PAM can be configured using debconf but
++    there is currently no such solution for updating NSS database and
++    every package does it by itself.
++
++    We'll have to play a catch-up game with the rest of the FreeIPA
++    project filtering out .enable() and .disable() calls that are
++    useless for us, and making the best out of the rest of them.
++    """
++
++    def __build_args(self):
++        args = ['--force',  '--package']
++        for (option, value) in self.parameters.items():
++            if option == "sssdauth":
++                option = "sss"
++            if type(value) is bool and not value:
++               if not any("remove" in s for s in args):
++                    args.append("--remove")
++               args.append("%s" % (option))
++        return args
++
++    def execute(self):
++        env = {"DEBCONF_FRONTEND" : "noninteractive"}
++        args = self.__build_args()
++        ipautil.run(["/usr/sbin/pam-auth-update"] + args, env = env)
+--- /dev/null
++++ b/ipaplatform/debian/paths.py
+@@ -0,0 +1,33 @@
++# Authors:
++#   Timo Aaltonen <tjaalton@ubuntu.com>
++#
++# Copyright (C) 2014 Timo Aaltonen
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This Debian base platform module exports default filesystem paths as common
++in Debian-based systems.
++"""
++
++# Fallback to default path definitions
++from ipaplatform.base.paths import BasePathNamespace
++
++
++class DebianPathNamespace(BasePathNamespace):
++    ETC_DEBIAN_VERSION = "/etc/debian_version"
++    SBIN_SERVICE = "/usr/sbin/service"
++
++paths = DebianPathNamespace()
+--- /dev/null
++++ b/ipaplatform/debian/services.py
+@@ -0,0 +1,149 @@
++# Authors:
++#   Timo Aaltonen <tjaalton@ubuntu.com>
++#
++# Copyright (C) 2014 Timo Aaltonen
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++Contains Debian-specific service class implementations.
++"""
++
++import time
++
++from ipaplatform.tasks import tasks
++from ipaplatform.base import services as base_services
++
++from ipapython import ipautil
++from ipapython.ipa_log_manager import root_logger
++from ipalib import api
++from ipaplatform.paths import paths
++
++# Service classes that implement Debian-specific behaviour
++
++class DebianService(base_services.PlatformService):
++    def __wait_for_open_ports(self, instance_name=""):
++        """
++        If this is a service we need to wait for do so.
++        """
++        ports = None
++        if instance_name in base.wellknownports:
++            ports = base.wellknownports[instance_name]
++        else:
++            if self.service_name in base.wellknownports:
++                ports = base.wellknownports[self.service_name]
++        if ports:
++            ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
++    def stop(self, instance_name='', capture_output=True):
++        ipautil.run([paths.SBIN_SERVICE, self.service_name, "stop",
++                     instance_name], capture_output=capture_output)
++        if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
++            update_service_list = True
++        else:
++            update_service_list = False
++        super(DebianService, self).stop(instance_name)
++
++    def start(self, instance_name='', capture_output=True, wait=True):
++        ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
++                     instance_name], capture_output=capture_output)
++        if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
++            update_service_list = True
++        else:
++            update_service_list = False
++        if wait and self.is_running(instance_name):
++            self.__wait_for_open_ports(instance_name)
++        super(DebianService, self).start(instance_name)
++
++    def restart(self, instance_name='', capture_output=True, wait=True):
++        ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
++                     instance_name], capture_output=capture_output)
++        if wait and self.is_running(instance_name):
++            self.__wait_for_open_ports(instance_name)
++
++    def is_running(self, instance_name=""):
++        ret = True
++        try:
++            (sout, serr, rcode) = ipautil.run([paths.SBIN_SERVICE,
++                                              self.service_name, "status",
++                                              instance_name])
++            if sout.find("NOT running") >= 0:
++                ret = False
++            if sout.find("stop") >= 0:
++                ret = False
++        except ipautil.CalledProcessError:
++                ret = False
++        return ret
++
++    def is_installed(self):
++        installed = True
++        try:
++            ipautil.run([paths.SBIN_SERVICE, self.service_name, "status"])
++        except ipautil.CalledProcessError, e:
++            if e.returncode == 1:
++                # service is not installed or there is other serious issue
++                installed = False
++        return installed
++
++    def is_enabled(self, instance_name=""):
++        # Services are always assumed to be enabled when installed
++        return True
++
++    def enable(self):
++        return True
++
++    def disable(self):
++        return True
++
++    def install(self):
++        return True
++
++    def remove(self):
++        return True
++
++
++class DebianSSHService(DebianService):
++    def get_config_dir(self, instance_name=""):
++        return '/etc/ssh'
++
++# Function that constructs proper Debian-specific server classes for services
++# of specified name
++
++def debian_service_class_factory(name):
++    if name == 'sshd':
++        return DebianSSHService(name)
++    return DebianService(name)
++
++
++# Magicdict containing DebianService instances.
++
++class DebianServices(base_services.KnownServices):
++    def __init__(self):
++        services = dict()
++        for s in base_services.wellknownservices:
++            if s == "messagebus":
++                services[s] = debian_service_class_factory("dbus")
++            elif s == "ntpd":
++                services[s] = debian_service("ntp")
++            else:
++                services[s] = debian_service_class_factory(s)
++        # Call base class constructor. This will lock services to read-only
++        super(DebianServices, self).__init__(services)
++
++
++# Objects below are expected to be exported by platform module
++
++from ipaplatform.base.services import timedate_services
++service = debian_service_class_factory
++knownservices = DebianServices()
+--- /dev/null
++++ b/ipaplatform/debian/tasks.py
+@@ -0,0 +1,36 @@
++# Authors:
++#   Timo Aaltonen <tjaalton@ubuntu.com>
++#
++# Copyright (C) 2014 Timo Aaltonen
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This module contains default Debian-specific implementations of system tasks.
++"""
++
++from ipaplatform.paths import paths
++from ipaplatform.base.tasks import *
++
++class DebianTaskNamespace(BaseTaskNamespace):
++
++    def restore_network_configuration(self, fstore, statestore):
++        filepath = paths.ETC_HOSTNAME
++        if fstore.has_file(filepath):
++            fstore.restore_file(filepath)
++            hostname_was_configured = True
++
++
++tasks = DebianTaskNamespace()
+\ No newline at end of file
+--- a/ipaplatform/setup.py.in
++++ b/ipaplatform/setup.py.in
+@@ -67,6 +67,7 @@ def setup_package():
+             package_dir = {'ipaplatform': ''},
+             packages = ["ipaplatform",
+                         "ipaplatform.base",
++                        "ipaplatform.debian",
+                         "ipaplatform.fedora"],
+         )
+     finally:
+--- a/ipaserver/install/ntpinstance.py
++++ b/ipaserver/install/ntpinstance.py
+@@ -46,6 +46,8 @@ class NTPInstance(service.Service):
+             os = "fedora"
+         elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
+             os = "rhel"
++        elif ipautil.file_exists(paths.ETC_DEBIAN_VERSION):
++            os = "debian"
+ 
+         srv_vals = []
+         srv_vals.append("0.%s.pool.ntp.org" % os)

debian/patches/check-dbus-before-starting.diff

@@ -1,9 +1,9 @@
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
-@@ -372,10 +372,11 @@ def uninstall(options, env):
+@@ -495,10 +495,11 @@ def uninstall(options, env):
      # Always start certmonger. We can't untrack something if it isn't
      # running
-     messagebus = ipaservices.knownservices.messagebus
+     messagebus = services.knownservices.messagebus
 -    try:
 -        messagebus.start()
 -    except Exception, e:
@@ -14,12 +14,12 @@
 +        except Exception, e:
 +            log_service_error(messagebus.service_name, 'start', e)
  
-     cmonger = ipaservices.knownservices.certmonger
+     cmonger = services.knownservices.certmonger
      try:
-@@ -970,10 +971,11 @@ def configure_certmonger(fstore, subject
+@@ -1070,10 +1071,11 @@ def configure_certmonger(fstore, subject
      principal = 'host/%s@%s' % (hostname, cli_realm)
  
-     messagebus = ipaservices.knownservices.messagebus
+     messagebus = services.knownservices.messagebus
 -    try:
 -        messagebus.start()
 -    except Exception, e:

debian/patches/correct-python-path.diff

@@ -1,11 +0,0 @@
---- a/Makefile
-+++ b/Makefile
-@@ -50,7 +50,7 @@ ifneq ($(DEVELOPER_MODE),0)
- LINT_OPTIONS=--no-fail
- endif
- 
--PYTHON ?= $(shell rpm -E %__python)
-+PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python)
- 
- # Uncomment to increase Java stack size for Web UI build in case it fails
- # because of stack overflow exception. Default should be OK for most platforms.

debian/patches/dont-search-platform-path.diff

@@ -1,11 +0,0 @@
---- a/ipapython/py_default_encoding/setup.py
-+++ b/ipapython/py_default_encoding/setup.py
-@@ -22,7 +22,7 @@ from distutils.sysconfig import get_pyth
- import sys
- import os
- 
--python_header = os.path.join(get_python_inc(plat_specific=1), 'Python.h')
-+python_header = os.path.join(get_python_inc(plat_specific=0), 'Python.h')
- if not os.path.exists(python_header):
-     sys.exit("Cannot find Python development packages that provide Python.h")
- 

debian/patches/fix-install-layout.diff

@@ -1,14 +0,0 @@
---- a/Makefile
-+++ b/Makefile
-@@ -82,9 +82,9 @@ client-install: client client-dirs
- 	done
- 	cd install/po && $(MAKE) install || exit 1;
- 	if [ "$(DESTDIR)" = "" ]; then \
--		$(PYTHON) setup-client.py install; \
-+		$(PYTHON) setup-client.py install --install-layout=deb; \
- 	else \
--		$(PYTHON) setup-client.py install --root $(DESTDIR); \
-+		$(PYTHON) setup-client.py install --install-layout=deb --root $(DESTDIR); \
- 	fi
- 
- client-dirs:

debian/patches/fix-ldap-conf-path.diff

@@ -1,6 +1,6 @@
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
-@@ -854,7 +854,7 @@ def configure_openldap_conf(fstore, cli_
+@@ -948,7 +948,7 @@ def configure_openldap_conf(fstore, cli_
              {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option',
                  'value':CACERT},]
  

debian/patches/fix-ntpdate-opts.diff

@@ -1,13 +0,0 @@
-Our ntp isn't patched to drop privileges.
-
---- a/ipa-client/ipaclient/ntpconf.py
-+++ b/ipa-client/ipaclient/ntpconf.py
-@@ -147,7 +147,7 @@ def synconce_ntp(server_fqdn):
-     if os.path.exists(ntpdate):
-         # retry several times -- logic follows /etc/init.d/ntpdate
-         # implementation
--        cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn]
-+        cmd = [ntpdate, "-s", "-b", "-v", server_fqdn]
-         for retry in range(0, 3):
-             try:
-                 ipautil.run(cmd)

debian/patches/fix-portability-of-nss.diff

@@ -1,74 +0,0 @@
-From 2d9e290970e71d373b91cd0cd1db52b991636889 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 28 Nov 2013 15:32:07 +0100
-Subject: [PATCH] BUILD: Fix portability of NSS in file ipa_pwd.c
-
----
- daemons/ipa-kdb/Makefile.am                         | 4 +++-
- daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 +
- util/ipa_pwd.c                                      | 8 ++++----
- 3 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
-index dc543dd..b3d6a1b 100644
---- a/daemons/ipa-kdb/Makefile.am
-+++ b/daemons/ipa-kdb/Makefile.am
-@@ -21,6 +21,7 @@ AM_CPPFLAGS =						\
- 	$(KRB5_CFLAGS)					\
- 	$(WARN_CFLAGS)					\
- 	$(NDRPAC_CFLAGS)				\
-+	$(NSS_CFLAGS)					\
- 	$(NULL)
- 
- plugindir = $(libdir)/krb5/plugins/kdb
-@@ -51,6 +52,7 @@ ipadb_la_LIBADD = 		\
- 	$(LDAP_LIBS)		\
- 	$(NDRPAC_LIBS)		\
- 	$(UNISTRING_LIBS)	\
-+	$(NSS_LIBS)             \
- 	$(NULL)
- 
- if HAVE_CHECK
-@@ -77,7 +79,7 @@ ipa_kdb_tests_LDADD =          \
-        $(KRB5_LIBS)            \
-        $(LDAP_LIBS)            \
-        $(NDRPAC_LIBS)          \
--       -lnss3                  \
-+       $(NSS_LIBS)             \
-        -lkdb5                  \
-        -lsss_idmap             \
-        $(NULL)
-diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
-index b53b2e1..3323d72 100644
---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
-+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
-@@ -22,6 +22,7 @@ AM_CPPFLAGS =							\
- 	$(LDAP_CFLAGS)					\
- 	$(KRB5_CFLAGS)						\
- 	$(SSL_CFLAGS)						\
-+	$(NSS_CFLAGS)						\
- 	$(WARN_CFLAGS)						\
- 	$(NULL)
- 	
-diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
-index 761d1ef..f6564c8 100644
---- a/util/ipa_pwd.c
-+++ b/util/ipa_pwd.c
-@@ -27,10 +27,10 @@
- #include <stdio.h>
- #include <time.h>
- #include <ctype.h>
--#include <nss3/nss.h>
--#include <nss3/nssb64.h>
--#include <nss3/hasht.h>
--#include <nss3/pk11pub.h>
-+#include <nss.h>
-+#include <nssb64.h>
-+#include <hasht.h>
-+#include <pk11pub.h>
- #include <errno.h>
- #include "ipa_pwd.h"
- 
--- 
-1.8.4.2
-

debian/patches/fix-pykerberos-api.diff

@@ -1,6 +1,6 @@
 --- a/ipalib/rpc.py
 +++ b/ipalib/rpc.py
-@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
+@@ -541,7 +541,7 @@ class KerbTransport(SSLTransport):
          service = "HTTP@" + host.split(':')[0]
  
          try:

debian/patches/fix-symlink-exclusion.diff

@@ -1,22 +0,0 @@
-Description: Don't exclude symlinks when loading plugins
- FreeIPA uses custom helpers to enumerate and load plugins. These plugins,
- provided by the ipalib module, are excluded due to being symlinked in from
- /usr/lib/pyshared as part of the dh_python2 installation process.
- .
- This change can probably be submitted upstream, but I have no idea why the
- original author would exclude symlinks in the first place, nor why a custom
- loader is being used.
-Author: Nick Hatch <nicholas.hatch@gmail.com>
-Last-Update: 2013-03-20
-
---- freeipa.orig/ipalib/util.py
-+++ freeipa/ipalib/util.py
-@@ -81,7 +81,7 @@
-         if not name.endswith(suffix):
-             continue
-         pyfile = os.path.join(src_dir, name)
--        if os.path.islink(pyfile) or not os.path.isfile(pyfile):
-+        if not os.path.isfile(pyfile):
-             continue
-         module = name[:-len(suffix)]
-         if module == '__init__':

debian/patches/include-ldflags-otpd.diff

@@ -1,21 +0,0 @@
-commit 75dadc1d8ffc3ac84c4b1988c266ef60de1a6cfe
-Author: Jan Cholasta <jcholast@redhat.com>
-Date:   Wed Dec 4 18:39:44 2013 +0100
-
-    Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.
-    
-    Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.
-    
-    https://fedorahosted.org/freeipa/ticket/3896
-
-diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
-index f0b7528..ed99c3e 100644
---- a/daemons/ipa-otpd/Makefile.am
-+++ b/daemons/ipa-otpd/Makefile.am
-@@ -1,5 +1,5 @@
- AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
--AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
-+AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
- 
- noinst_HEADERS = internal.h
- libexec_PROGRAMS = ipa-otpd

debian/patches/no-test-lang.diff

@@ -1,6 +1,6 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -98,7 +98,7 @@ client-dirs:
+@@ -112,7 +112,7 @@ client-dirs:
  
  lint: bootstrap-autogen
  	./make-lint $(LINT_OPTIONS)

debian/patches/no-testcert.patch

@@ -1,18 +0,0 @@
-Author: Timo Aaltonen <tjaalton@ubuntu.com>
-Date:   Tue Nov 1 11:48:27 2011 -0400
-
-    Add no-testcert.patch to not fail make-testcert.
-
-they need a working certificate server running
-
---- a/Makefile
-+++ b/Makefile
-@@ -102,7 +102,7 @@ lint: bootstrap-autogen
- 
- 
- test:
--	./make-testcert
-+#	./make-testcert
- 	./make-test
- 
- release-update:

debian/patches/port-ipa-client-automount.diff

@@ -1,10 +1,8 @@
-diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
-index 3952642..e7b843e 100755
 --- a/ipa-client/ipa-install/ipa-client-automount
 +++ b/ipa-client/ipa-install/ipa-client-automount
-@@ -39,10 +39,10 @@ from ipapython.ipa_log_manager import *
+@@ -40,10 +40,10 @@ from ipapython.dn import DN
- from ipapython.dn import DN
+ from ipaplatform.tasks import tasks
- from ipapython import services as ipaservices
+ from ipaplatform import services
  
 -AUTOFS_CONF = '/etc/sysconfig/autofs'
 +AUTOFS_CONF = '/etc/default/autofs'
@@ -15,7 +13,7 @@ index 3952642..e7b843e 100755
  IDMAPD_CONF = '/etc/idmapd.conf'
  
  def parse_options():
-@@ -309,7 +309,7 @@ def configure_nfs(fstore, statestore):
+@@ -310,7 +310,7 @@ def configure_nfs(fstore, statestore):
      Configure secure NFS
      """
      replacevars = {

debian/patches/prefix.patch

@@ -5,7 +5,19 @@ use the debian layout when installing python modules
 
 --- a/Makefile
 +++ b/Makefile
-@@ -153,7 +153,7 @@ server-install: server
+@@ -96,9 +96,9 @@ client-install: client client-dirs
+ 	done
+ 	cd install/po && $(MAKE) install || exit 1;
+ 	if [ "$(DESTDIR)" = "" ]; then \
+-		$(PYTHON) setup-client.py install; \
++		$(PYTHON) setup-client.py install --install-layout=deb; \
+ 	else \
+-		$(PYTHON) setup-client.py install --root $(DESTDIR); \
++		$(PYTHON) setup-client.py install --root $(DESTDIR) --install-layout=deb; \
+ 	fi
+ 
+ client-dirs:
+@@ -169,7 +169,7 @@ server-install: server
  	if [ "$(DESTDIR)" = "" ]; then \
  		$(PYTHON) setup.py install; \
  	else \
@@ -18,10 +30,10 @@ use the debian layout when installing python modules
 +++ b/ipapython/Makefile
 @@ -14,7 +14,7 @@ install:
  	if [ "$(DESTDIR)" = "" ]; then \
- 		python setup.py install; \
+ 		python2 setup.py install; \
  	else \
--		python setup.py install --root $(DESTDIR); \
+-		python2 setup.py install --root $(DESTDIR); \
-+		python setup.py install --root $(DESTDIR) --install-layout=deb; \
++		python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
  	fi
  	@for subdir in $(SUBDIRS); do \
  		(cd $$subdir && $(MAKE) $@) || exit 1; \
@@ -29,10 +41,10 @@ use the debian layout when installing python modules
 +++ b/ipapython/py_default_encoding/Makefile
 @@ -9,7 +9,7 @@ install:
  	if [ "$(DESTDIR)" = "" ]; then \
- 		python setup.py install; \
+ 		python2 setup.py install; \
  	else \
--		python setup.py install --root $(DESTDIR); \
+-		python2 setup.py install --root $(DESTDIR); \
-+		python setup.py install --root $(DESTDIR) --install-layout=deb; \
++		python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
  	fi
  
  clean:

debian/patches/series

@@ -1,21 +1,13 @@
 # not upstreamable
-no-testcert.patch
 prefix.patch
 no-test-lang.diff
-fix-install-layout.diff
-fix-ntpdate-opts.diff
 fix-ldap-conf-path.diff
 port-ipa-client-automount.diff
 dont-check-for-systemd-pc.diff
-fix-portability-of-nss.diff
 
 # send upstream
-correct-python-path.diff
-dont-search-platform-path.diff
-fix-symlink-exclusion.diff
 check-dbus-before-starting.diff
 add-debian-platform.diff
 use-new-nssdb.diff
 
-include-ldflags-otpd.diff
 fix-pykerberos-api.diff

debian/patches/use-new-nssdb.diff

@@ -1,6 +1,6 @@
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
-@@ -201,7 +201,7 @@ def log_service_error(name, action, erro
+@@ -228,7 +228,7 @@ def log_service_error(name, action, erro
      root_logger.error("%s failed to %s: %s", name, action, str(error))
  
  def nickname_exists(nickname):
@@ -9,7 +9,7 @@
  
          if returncode == 0:
              return True
-@@ -365,7 +365,7 @@ def uninstall(options, env):
+@@ -487,7 +487,7 @@ def uninstall(options, env):
      # Remove our host cert and CA cert
      if nickname_exists("IPA CA"):
          try:
@@ -18,7 +18,7 @@
          except Exception, e:
              root_logger.error(
                  "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e))
-@@ -393,7 +393,7 @@ def uninstall(options, env):
+@@ -515,7 +515,7 @@ def uninstall(options, env):
  
      if nickname_exists(client_nss_nickname):
          try:
@@ -27,23 +27,3 @@
          except Exception, e:
              root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s",
                  client_nss_nickname, str(e))
-@@ -2297,7 +2297,7 @@ def install(options, env, fstore, states
- 
-     # Add the CA to the default NSS database and trust it
-     try:
--        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
-+        run(["/usr/bin/certutil", "-A", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
-     except CalledProcessError, e:
-         root_logger.info("Failed to add CA to the default NSS database.")
-         return CLIENT_INSTALL_ERROR
---- a/ipalib/rpc.py
-+++ b/ipalib/rpc.py
-@@ -322,7 +322,7 @@ class SSLTransport(LanguageAwareTranspor
-             if self._connection and host == self._connection[0]:
-                 return self._connection[1]
- 
--        dbdir = '/etc/pki/nssdb'
-+        dbdir = 'sql:/etc/pki/nssdb'
-         no_init = self.__nss_initialized(dbdir)
-         if sys.version_info < (2, 7):
-             conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)