Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.
Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.
Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Dogtag 10.7 includes the 'pki-server cert-fix' enhancements required
by ipa-cert-fix. Bump the dep min bound.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db
The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.
Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.
Except for DMLDAP, handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.
The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.
Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.
Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.
Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.
See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
CI is failing with 389-DS 1.4.0.20-1. Pin dependency to 1.4.0.16 for
now.
Note: RPM/DNF don't like a pin with dash. Therefore I had to change
ds_version from 1.4.0.16-1 to 1.4.0.16.
Fixes: https://github.com/freeipa/freeipa/pull/2731
See: https://pagure.io/389-ds-base/pull-request/50121
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.
nss-3.41.0-1.fc29 is available in F29 stable.
See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.
Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.
Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.
Fixes https://pagure.io/freeipa/issue/7767
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:
is_subclass_of fails with AttributeError: 'NoneType' object has no
attribute 'name'
pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.
See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.
See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
[error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.
Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Let's catch broken YAML files (Travis, PR-CI) and spec file early.
- Use rpmlint to detect syntax errors in spec file early
- Attempt to parse all YAML files with PyYAML
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The sssd meta package pulls in additional dependencies that are not
required by IPA clients. Only depend on sssd-ipa.
Also update SSSD to 1.16.3-2 with fixes with support for One-Way Trust
authenticated by trust secret.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1345975
See: https://pagure.io/freeipa/issue/7710
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
When it was checking for FIPS it assumed that /proc/sys/crypto
existed which it doesn't in some containers and on Ubuntu.
This was updated in dogtag, this change is just to pull in the
fix.
https://pagure.io/freeipa/issue/7608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.
See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Original patch by Jason Tibbitts <tibbs@math.uh.edu>
See: 9cdadfb7d0
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.
On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.
The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).
Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.
Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.
Reviewed-By: Armando Neto <abiagion@redhat.com>
UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.
On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.
Reviewed-By: Armando Neto <abiagion@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.
Fixes:
https://pagure.io/freeipa/issue/7591
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove with_python3 checks and always build Python 3 packages.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The specfile now uses three variables to determinate how to handle
Python support.
with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages
"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.
The patch also cleans up and fixes additional issues:
* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
were packages with Python 2 RPMs although they had a Python 3 shebang.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>