Commit Graph

12905 Commits

Author SHA1 Message Date
Timo Aaltonen
b8877e8adf copyright, watch: Update source/release location. 2017-04-05 17:56:31 +03:00
Timo Aaltonen
4ec19bad13 ipa-kdb-support-dal-version-5-and-6.diff dropped, purge-firefox-extension.diff refreshed 2017-04-01 01:11:21 +03:00
Timo Aaltonen
d584e39f68 update changelog 2017-03-30 11:41:40 +03:00
Timo Aaltonen
74010f002f tagging IPAv4 4.4.4
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJY1AYXAAoJECKiqUteSUFaQc8H/1FJlI2bHXtByvQleASeZUVd
 /U+4LLp81FcE41tasVDM7pLZRte0SASyX+dV7u6Q1B7diKhaApQobmKc//Zr+ls4
 W6cVFQgG+IpcsjRfktS/rtdPbFvNNlM8KFTZ+K5wjo4GVtT9WlJgIMQP5AeMB18K
 NgVn8+3oQ2AgT4tbvLOXPvUqbtVQrx8de7AI3KXb6Q6eLNylCeRE9pttN6yy9LJ6
 B0pac8PeQ25hwy3SQ+CyV9/0tF0MfSkzuI7uyb7zVUs5x7K7mDGqRvGPJnCAiMtK
 Y0evLlamQupI5ZkW+YL1TXktCLh+nnUrcHJc765xjzM2gLxl5bz1Ood9bvrICX8=
 =mENs
 -----END PGP SIGNATURE-----

Merge tag 'release-4-4-4' into master-next

tagging IPAv4 4.4.4
2017-03-30 11:39:19 +03:00
Martin Basti
92fb05c41f
Become IPA 4.4.4 2017-03-23 18:28:58 +01:00
Martin Basti
b150a7a994
Update Contributors.txt
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-23 17:59:05 +01:00
Martin Basti
e7beb9a2ae
FreeIPA 4.4.4 translations
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-23 17:37:55 +01:00
Martin Basti
951d27ecc5
Bump python-dns to improve processing of non-complete resolv.conf
With missing IP address for nameserver olser python-dns raises
an IndexError. python-dns >= 1.13 just ignores broken line

https://pagure.io/freeipa/issue/6070

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-23 09:57:40 +01:00
David Kupka
40e1eb695d ipapython.ipautil.nolog_replace: Do not replace empty value
When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX'
three (once for plain value, once for http quoted value and last time for shell
quoted value) times before every character (including terminating '\0') in the string.

https://pagure.io/freeipa/issue/6738

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-21 09:46:44 +01:00
Stanislav Laznicka
5caade9912
Add debug log in case cookie retrieval went wrong
https://pagure.io/freeipa/issue/6774

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-20 19:09:57 +01:00
Stanislav Laznicka
40f3b8f8a3
Fix cookie with Max-Age processing
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6774

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-20 19:09:57 +01:00
Alexander Bokovoy
95daecbae8 ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://pagure.io/freeipa/issue/6776

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-03-20 17:11:12 +01:00
Jan Cholasta
e3b49abfe7 compat: fix Any params in batch and dnsrecord
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 05:32:40 +00:00
Tomas Krizek
a572e61cb5
server install: require IPv6 stack to be enabled
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-09 16:52:02 +01:00
Timo Aaltonen
f1b29d31d3 close a bug 2017-03-02 09:38:58 +02:00
Fraser Tweedale
1aa314c796 ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 14:31:22 +00:00
Thorsten Scherf
f784e33b1e added ssl verification using IPA trust anchor
https://fedorahosted.org/freeipa/ticket/6686

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-27 07:54:18 +00:00
Florence Blanc-Renaud
4a30e9d534 Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
        protocol="AJP/1.3"
        redirectPort="8443"
        address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-20 10:25:30 +01:00
Timo Aaltonen
8ca2e70a93 client.dirs: Ship /etc/krb5.conf.d, because not having that breaks the installer when krb5.conf tries to include that. 2017-02-17 15:07:42 +02:00
Timo Aaltonen
b2b9d8f156 fix-kdcproxy-path.diff: Update debian/paths.py to use correct path for ipa-httpd-kdcproxy. 2017-02-17 15:01:04 +02:00
Timo Aaltonen
eea684e2a7 fix-is-running.diff: Add a third argument to is_running() in ipaplatform/debian/services.py. 2017-02-17 01:40:24 +02:00
Timo Aaltonen
df246cc112 releasing package freeipa version 4.4.3-3 2017-02-16 11:26:17 +02:00
Timo Aaltonen
4631e1893b client.postinst: Fix logfile location. 2017-01-28 15:29:02 +02:00
Timo Aaltonen
cee4417e77 releasing package freeipa version 4.4.3-2 2017-01-28 00:21:37 +02:00
Timo Aaltonen
a4e4d1d6f4 control: Fix python-ipatests to depend on python-sss instead of - sssdconfig. 2017-01-28 00:04:28 +02:00
Martin Basti
74020d07db Use proper logging for error messages
https://fedorahosted.org/freeipa/ticket/6588r

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-25 13:42:56 +01:00
Martin Basti
5bddcdb47b Wait until HTTPS principal entry is replicated to replica
Without HTTP principal the steps later fails.

https://fedorahosted.org/freeipa/ticket/6588

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-25 13:42:56 +01:00
Martin Basti
3d0a072876 wait_for_entry: use only DN as parameter
Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function

https://fedorahosted.org/freeipa/ticket/6588

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-25 13:42:56 +01:00
Ganna Kaihorodova
52527d6323 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Timo Aaltonen
b60eb8b01e releasing package freeipa version 4.4.3-1 2017-01-14 15:37:21 +02:00
Timo Aaltonen
3f7fe2aa9c control: Demote ntp to Recommends so that lxc containers can be enrolled without it. (LP: #1630911) 2017-01-14 15:21:56 +02:00
Timo Aaltonen
799d94959b update purge-firefox-extension.diff 2017-01-14 11:32:26 +02:00
Timo Aaltonen
59e06164f8 control: Add krb5-otp to server depends. (LP: #1640732) 2017-01-14 11:22:03 +02:00
Timo Aaltonen
b741e1dfe0 close a LP bug 2017-01-14 11:21:06 +02:00
Timo Aaltonen
9e22c17a91 Update TODO 2017-01-14 11:15:08 +02:00
Timo Aaltonen
7ee921d824 fix-cve-2016-5404.diff: Dropped, upstream. 2017-01-14 10:56:09 +02:00
Fraser Tweedale
cdb6ffb779 Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-05 15:09:12 +01:00
Timo Aaltonen
762a542966 update changelog, fix a bug 2016-12-23 08:20:42 +02:00
Timo Aaltonen
73c6e90fdb Merge branch 'upstream-next' into master-next 2016-12-23 08:10:39 +02:00
Petr Vobornik
097ff54ebc Become IPA 4.4.3 2016-12-16 13:45:37 +01:00
Martin Babinsky
e02323c1c3 Add a basic test suite for kadmin.local interface
This small integration suite tests some basic operations using
kadmin.local interface on services in both kerberos and services
subtree.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-16 10:37:49 +01:00
Martin Babinsky
f0f48ec14f Make kadmin family of functions return the result of ipautil.run
This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-16 10:37:49 +01:00
Alexander Bokovoy
84f6df6349 ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-15 17:32:33 +01:00
David Kupka
171bc3e685 tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 18:14:35 +01:00
David Kupka
08e7af9f0f password policy: Add explicit default password policy for hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 18:14:35 +01:00
Fraser Tweedale
c12a52f0d7 certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-14 18:08:33 +01:00
Martin Basti
2a2652187e freeipa-4.4.3: update translations
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-14 17:40:26 +01:00
David Kupka
6ef666ed12 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00
Ludwig Krispenz
d028d23c5f Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere

https://fedorahosted.org/freeipa/ticket/6534

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-13 12:25:07 +01:00
Pavel Vomacka
cd62808c0e WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.

https://fedorahosted.org/freeipa/ticket/6546

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-12-12 18:30:10 +01:00