diff options
author | Jan Cholasta | 2017-06-27 09:51:41 +0200 |
---|---|---|
committer | Jan Cholasta | 2017-07-28 16:06:53 +0200 |
commit | bfc22a02d2f0d508e1248a403d8a4334d0827b38 (patch) | |
tree | 99a70b35ce5826bc95d3cc4cd36b28488b57982a | |
parent | 7cf0bd5dc82ca4c20410dd5341c7ace5e185f0c0 (diff) | |
download | aur-bfc22a02d2f0d508e1248a403d8a4334d0827b38.tar.gz |
freeipa-4.5.3-1
-rw-r--r-- | .SRCINFO | 121 | ||||
-rw-r--r-- | 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch | 196 | ||||
-rw-r--r-- | 0001-platform-add-Arch-Linux-platform.patch | 205 | ||||
-rw-r--r-- | 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch | 39 | ||||
-rw-r--r-- | 0002-platform-add-Arch-Linux-platform.patch | 200 | ||||
-rw-r--r-- | 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch | 29 | ||||
-rw-r--r-- | PKGBUILD | 351 | ||||
-rwxr-xr-x | freeipa-client-update-sshd_config | 35 | ||||
-rw-r--r-- | freeipa-client-update-sshd_config.hook | 9 | ||||
-rw-r--r-- | freeipa-client.install | 53 |
10 files changed, 716 insertions, 522 deletions
@@ -1,119 +1,122 @@ pkgbase = freeipa pkgdesc = The Identity, Policy and Audit system - pkgver = 4.4.3 + pkgver = 4.5.3 pkgrel = 1 url = http://www.freeipa.org/ arch = i686 arch = x86_64 license = GPL3 - makedepends = nspr - makedepends = nss - makedepends = openssl makedepends = openldap - makedepends = krb5>=1.13 - makedepends = libutil-linux - makedepends = curl>7.21.7 + makedepends = krb5>=1.15.1 makedepends = xmlrpc-c>=1.27.4 makedepends = popt + makedepends = gettext makedepends = python + makedepends = python-setuptools makedepends = python2 - makedepends = python2-ldap makedepends = python2-setuptools + makedepends = nspr + makedepends = nss + makedepends = openssl + makedepends = ding-libs + makedepends = libsasl + makedepends = python2-ldap makedepends = python2-nss - makedepends = python2-cryptography>=0.9 - makedepends = python2-netaddr - makedepends = python2-gssapi>=1.1.2 - makedepends = python2-memcached - makedepends = sssd>=1.14.0 - makedepends = python2-lxml - makedepends = python2-pyasn1>=0.0.9a - makedepends = python2-qrcode - makedepends = python2-dnspython>=1.11.1 - makedepends = systemd - makedepends = libunistring - makedepends = python2-yubico>=1.2.3 + makedepends = python2-netaddr>=0.7.16 + makedepends = python2-pyasn1 + makedepends = python2-pyasn1-modules + makedepends = python2-dnspython makedepends = python2-six - makedepends = ding-libs>=0.5.0 - makedepends = python2-dbus - makedepends = python2-netifaces - source = http://freeipa.org/downloads/src/freeipa-4.4.3.tar.gz - source = 0001-platform-add-Arch-Linux-platform.patch - source = 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch - source = 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch - sha256sums = 7ab844e16ba23dff9c71d47f59f105a8b2fdb6c407a56326c32528e8e7bb0773 - sha256sums = 73bff9f3677b98c09ff45dd8e2aae7080e0f93218956b978d07346005dab7b6b - sha256sums = e797910b18f7ed3063a9a454b261960fda2ab133f79ee070bee16e4745489d03 - sha256sums = bc095e230652a8b421bfd1adb546aa4e720bfe8d15f6a9d6872eccac79b3dcbc + makedepends = sssd>=1.13.0 + makedepends = python2-cffi + makedepends = python-jinja + makedepends = python-pyasn1-modules + makedepends = python2-jinja + options = emptydirs + source = https://releases.pagure.org/freeipa/freeipa-4.5.3.tar.gz + source = 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch + source = 0002-platform-add-Arch-Linux-platform.patch + source = freeipa-client-update-sshd_config + source = freeipa-client-update-sshd_config.hook + sha256sums = 94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b + sha256sums = ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e + sha256sums = f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369 + sha256sums = 9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d + sha256sums = 1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d pkgname = python-ipalib pkgdesc = Python libraries used by IPA arch = any - depends = freeipa-common=4.4.3-1 - depends = python-gssapi>=1.1.2 + depends = freeipa-common=4.5.3-1 + depends = python-gssapi>=1.2.0 depends = gnupg depends = keyutils depends = python-nss>=0.16 - depends = python-cryptography>=0.9 - depends = python-lxml - depends = python-netaddr + depends = python-cryptography>=1.4 + depends = python-netaddr>=0.7.16 depends = sssd depends = python-qrcode>=5.0.0 depends = python-pyasn1 + depends = python-pyasn1-modules depends = python-dateutil depends = python-yubico>=1.2.3 depends = python-dbus depends = python-setuptools depends = python-six depends = python-pyldap>=2.4.15 - depends = python-dnspython>=1.11.1 + depends = python-dnspython>=1.15 depends = python-netifaces>=0.10.4 depends = python-pyusb - provides = python-ipapython=4.4.3-1 - provides = python-ipaplatform=4.4.3-1 + provides = python-ipapython=4.5.3-1 + provides = python-ipaplatform=4.5.3-1 pkgname = python-ipaclient pkgdesc = Python libraries used by IPA client arch = any - depends = freeipa-client-common=4.4.3-1 - depends = freeipa-common=4.4.3-1 - depends = python-ipalib=4.4.3-1 - depends = python-dnspython>=1.11.1 + depends = freeipa-client-common=4.5.3-1 + depends = freeipa-common=4.5.3-1 + depends = python-ipalib=4.5.3-1 + depends = python-dnspython>=1.15 + depends = python-jinja pkgname = python2-ipalib pkgdesc = Python libraries used by IPA arch = any - depends = freeipa-common=4.4.3-1 - depends = python2-gssapi>=1.1.2 + depends = freeipa-common=4.5.3-1 + depends = python2-gssapi>=1.2.0 depends = gnupg depends = keyutils + depends = python2>=2.7.9 depends = python2-nss>=0.16 - depends = python2-cryptography>=0.9 - depends = python2-lxml - depends = python2-netaddr + depends = python2-cryptography>=1.4 + depends = python2-netaddr>=0.7.16 depends = sssd depends = python2-qrcode>=5.0.0 depends = python2-pyasn1 + depends = python2-pyasn1-modules depends = python2-dateutil depends = python2-yubico>=1.2.3 depends = python2-dbus depends = python2-setuptools depends = python2-six depends = python2-ldap>=2.4.15 - depends = python2-dnspython>=1.11.1 + depends = python2-dnspython>=1.15 + depends = python2-enum34 depends = python2-netifaces>=0.10.4 depends = python2-pyusb - provides = python2-ipapython=4.4.3-1 - provides = python2-ipaplatform=4.4.3-1 + provides = python2-ipapython=4.5.3-1 + provides = python2-ipaplatform=4.5.3-1 conflicts = freeipa-python replaces = freeipa-python pkgname = python2-ipaclient pkgdesc = Python libraries used by IPA client arch = any - depends = freeipa-client-common=4.4.3-1 - depends = freeipa-common=4.4.3-1 - depends = python2-ipalib=4.4.3-1 - depends = python2-dnspython>=1.11.1 + depends = freeipa-client-common=4.5.3-1 + depends = freeipa-common=4.5.3-1 + depends = python2-ipalib=4.5.3-1 + depends = python2-dnspython>=1.15 + depends = python2-jinja pkgname = freeipa-common pkgdesc = Common files used by IPA @@ -128,9 +131,9 @@ pkgname = freeipa-client-common pkgname = freeipa-client pkgdesc = IPA authentication for use on clients install = freeipa-client.install - depends = freeipa-client-common=4.4.3-1 - depends = freeipa-common=4.4.3-1 - depends = python2-ipaclient=4.4.3-1 + depends = freeipa-client-common=4.5.3-1 + depends = freeipa-common=4.5.3-1 + depends = python2-ipaclient=4.5.3-1 depends = python2-ldap depends = cyrus-sasl-gssapi depends = ntp @@ -144,7 +147,7 @@ pkgname = freeipa-client depends = nss depends = bind-tools depends = oddjob - depends = python2-gssapi>=1.1.2 + depends = python2-gssapi>=1.2.0 depends = autofs depends = nfsidmap depends = nfs-utils diff --git a/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch new file mode 100644 index 000000000000..411f30112082 --- /dev/null +++ b/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch @@ -0,0 +1,196 @@ +From c2a9ff7a7d5384bdb036b8679b71527f5ff64bbd Mon Sep 17 00:00:00 2001 +From: Jan Cholasta <jcholast@redhat.com> +Date: Mon, 20 Mar 2017 06:56:53 +0000 +Subject: [PATCH 1/2] install: do not assume /etc/krb5.conf.d exists + +Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if +/etc/krb5.conf.d exists. + +Do not rely on /etc/krb5.conf.d to enable the certauth plugin. + +This fixes install on platforms which do not have /etc/krb5.conf.d. + +https://pagure.io/freeipa/issue/6589 + +Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> +Reviewed-By: Christian Heimes <cheimes@redhat.com> +Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> +--- + daemons/ipa-kdb/Makefile.am | 6 ------ + daemons/ipa-kdb/ipa-certauth | 5 ----- + freeipa.spec.in | 1 - + install/share/krb5.conf.template | 7 ++++++- + ipaclient/install/client.py | 16 ++++++++++------ + ipaserver/install/krbinstance.py | 8 +++++++- + ipaserver/install/server/upgrade.py | 33 +++++++++++++++++++++++++++++++++ + 8 files changed, 56 insertions(+), 21 deletions(-) + delete mode 100644 daemons/ipa-kdb/ipa-certauth + +diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am +index 259bc3b20..5669349af 100644 +--- a/daemons/ipa-kdb/Makefile.am ++++ b/daemons/ipa-kdb/Makefile.am +@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports + + if BUILD_IPA_CERTAUTH_PLUGIN + ipadb_la_SOURCES += ipa_kdb_certauth.c +- +- +-krb5confdir = $(sysconfdir)/krb5.conf.d +-krb5conf_DATA = ipa-certauth +-else +-dist_noinst_DATA += ipa-certauth + endif + + ipadb_la_LDFLAGS = \ +diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth +deleted file mode 100644 +index 6fde08284..000000000 +--- a/daemons/ipa-kdb/ipa-certauth ++++ /dev/null +@@ -1,5 +0,0 @@ +-[plugins] +- certauth = { +- module = ipakdb:kdb/ipadb.so +- enable_only = ipakdb +- } +diff --git a/freeipa.spec.in b/freeipa.spec.in +index a8b5ce81f..80f302130 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -1207,7 +1207,6 @@ fi + %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck + %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf + %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf +-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth + %dir %{_libexecdir}/ipa/certmonger + %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* + # NOTE: systemd specific section +diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template +index 1f18ff90d..e3420e537 100644 +--- a/install/share/krb5.conf.template ++++ b/install/share/krb5.conf.template +@@ -1,4 +1,4 @@ +-includedir /etc/krb5.conf.d/ ++$INCLUDES + includedir /var/lib/sss/pubconf/krb5.include.d/ + + [logging] +@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS + db_library = ipadb.so + } + ++[plugins] ++ certauth = { ++ module = ipakdb:kdb/ipadb.so ++ enable_only = ipakdb ++ } +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index c88061320..2d64a4494 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -640,14 +640,18 @@ def configure_krb5_conf( + 'value': 'File modified by ipa-client-install' + }, + krbconf.emptyLine(), +- { +- 'name': 'includedir', +- 'type': 'option', +- 'value': paths.COMMON_KRB5_CONF_DIR, +- 'delim': ' ' +- } + ] + ++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): ++ opts.extend([ ++ { ++ 'name': 'includedir', ++ 'type': 'option', ++ 'value': paths.COMMON_KRB5_CONF_DIR, ++ 'delim': ' ' ++ } ++ ]) ++ + # SSSD include dir + if configure_sssd: + opts.extend([ +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index 6b51e65d1..f0875fbc9 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -249,6 +249,11 @@ class KrbInstance(service.Service): + root_logger.critical("krb5kdc service failed to start") + + def __setup_sub_dict(self): ++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): ++ includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR) ++ else: ++ includes = '' ++ + self.sub_dict = dict(FQDN=self.fqdn, + IP=self.ip, + PASSWORD=self.kdc_password, +@@ -264,7 +269,8 @@ class KrbInstance(service.Service): + KDC_KEY=paths.KDC_KEY, + CACERT_PEM=paths.CACERT_PEM, + KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, +- CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) ++ CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM, ++ INCLUDES=includes) + + # IPA server/KDC is not a subdomain of default domain + # Proper domain-realm mapping needs to be specified +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 732776f2c..9c28c22fc 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1549,6 +1549,38 @@ def setup_pkinit(krb): + aug.close() + + ++def enable_certauth(krb): ++ root_logger.info("[Enable certauth]") ++ ++ aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, ++ loadpath=paths.USR_SHARE_IPA_DIR) ++ try: ++ aug.transform('IPAKrb5', paths.KRB5_CONF) ++ aug.load() ++ ++ path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF) ++ modified = False ++ ++ if not aug.match(path): ++ aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so') ++ aug.set('{}/enable_only'.format(path), 'ipakdb') ++ modified = True ++ ++ if modified: ++ try: ++ aug.save() ++ except IOError: ++ for error_path in aug.match('/augeas//error'): ++ root_logger.error('augeas: %s', aug.get(error_path)) ++ raise ++ ++ if krb.is_running(): ++ krb.stop() ++ krb.start() ++ finally: ++ aug.close() ++ ++ + def disable_httpd_system_trust(http): + ca_certs = [] + +@@ -1842,6 +1874,7 @@ def upgrade_configuration(): + CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) + krb.add_anonymous_principal() + setup_pkinit(krb) ++ enable_certauth(krb) + + if not ds_running: + ds.stop(ds_serverid) +-- +2.13.3 + diff --git a/0001-platform-add-Arch-Linux-platform.patch b/0001-platform-add-Arch-Linux-platform.patch deleted file mode 100644 index cdf92d8ceed1..000000000000 --- a/0001-platform-add-Arch-Linux-platform.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 57f997fefd917d9d8d13b1d94982c9a9b09156f6 Mon Sep 17 00:00:00 2001 -From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> -Date: Wed, 16 Apr 2014 19:31:08 -0400 -Subject: [PATCH] platform: add Arch Linux platform - -This patch has been adapted from the patches provided with freeipa package -in the Arch User Repository (AUR). - -Signed-off-by: Jan Cholasta <jcholast@redhat.com> ---- - client/man/ipa-client-automount.1 | 4 ++-- - client/man/ipa-client-install.1 | 4 ++-- - ipaplatform/archlinux/__init__.py | 3 +++ - ipaplatform/archlinux/constants.py | 12 ++++++++++++ - ipaplatform/archlinux/paths.py | 22 ++++++++++++++++++++++ - ipaplatform/archlinux/services.py | 38 ++++++++++++++++++++++++++++++++++++++ - ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++ - ipaplatform/setup.py.in | 1 + - 8 files changed, 96 insertions(+), 4 deletions(-) - create mode 100644 ipaplatform/archlinux/__init__.py - create mode 100644 ipaplatform/archlinux/constants.py - create mode 100644 ipaplatform/archlinux/paths.py - create mode 100644 ipaplatform/archlinux/services.py - create mode 100644 ipaplatform/archlinux/tasks.py - -diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1 -index 5b60503f1304d0a0b03a8862708ba126c50c7eff..16ccbeadc6a453ad43343c68b4662c089a359aaa 100644 ---- a/client/man/ipa-client-automount.1 -+++ b/client/man/ipa-client-automount.1 -@@ -29,7 +29,7 @@ The automount configuration consists of three files: - .IP o - /etc/nsswitch.conf - .IP o --/etc/sysconfig/autofs -+/etc/conf.d/autofs - .IP o - /etc/autofs_ldap_auth.conf - -@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default): - .TP - Files that will be configured when using the ldap automount client: - --/etc/sysconfig/autofs -+/etc/conf.d/autofs - - /etc/autofs_ldap_auth.conf - -diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 -index 26c940721413a785068b6b79622a42a816c1ef77..468695cf06c76a899ca94af4f83f818f8afdc9f2 100644 ---- a/client/man/ipa-client-install.1 -+++ b/client/man/ipa-client-install.1 -@@ -257,7 +257,7 @@ Files replaced if NTP is enabled: - - /etc/ntp.conf - .br --/etc/sysconfig/ntpd -+/etc/conf.d/ntpd.conf - .br - /etc/ntp/step\-tickers - .TP -@@ -279,7 +279,7 @@ Files updated, existing content is maintained: - .br - /etc/krb5.keytab - .br --/etc/sysconfig/network -+/etc/hostname - .SH "EXIT STATUS" - 0 if the installation was successful - -diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py -new file mode 100644 -index 0000000000000000000000000000000000000000..9da42e7b4d782ef596e8fda080b6c1994b901866 ---- /dev/null -+++ b/ipaplatform/archlinux/__init__.py -@@ -0,0 +1,3 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py -new file mode 100644 -index 0000000000000000000000000000000000000000..148abd83f72d12263659f78326fdabd91bed5227 ---- /dev/null -+++ b/ipaplatform/archlinux/constants.py -@@ -0,0 +1,12 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.redhat.constants import RedHatConstantsNamespace -+ -+ -+class ArchLinuxConstantsNamespace(RedHatConstantsNamespace): -+ pass -+ -+ -+constants = ArchLinuxConstantsNamespace() -diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py -new file mode 100644 -index 0000000000000000000000000000000000000000..a7b8ea7b4cc959c4237a16fd68e7422bf1a359a1 ---- /dev/null -+++ b/ipaplatform/archlinux/paths.py -@@ -0,0 +1,22 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.redhat.paths import RedHatPathNamespace -+ -+ -+class ArchLinuxPathNamespace(RedHatPathNamespace): -+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf" -+ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" -+ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf" -+ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf" -+ SYSCONFIG_AUTOFS = "/etc/default/autofs" -+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = ( -+ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit") -+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = ( -+ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit") -+ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard" -+ LIB64_FIREFOX = "/usr/lib/firefox" -+ -+ -+paths = ArchLinuxPathNamespace() -diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py -new file mode 100644 -index 0000000000000000000000000000000000000000..c0fb6fb9403422f2699ef1a2e5521d7871dac3a0 ---- /dev/null -+++ b/ipaplatform/archlinux/services.py -@@ -0,0 +1,38 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.redhat.services import (RedHatService, -+ redhat_service_class_factory, -+ RedHatServices, -+ RedHatSSHService, -+ redhat_system_units, -+ timedate_services) -+ -+archlinux_system_units = dict(redhat_system_units) -+archlinux_system_units['messagebus'] = 'dbus.service' -+archlinux_system_units['rpcgssd'] = 'rpc-gssd.service' -+archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service' -+ -+ -+class ArchLinuxService(RedHatService): -+ system_units = archlinux_system_units -+ -+ -+class ArchLinuxSSHService(ArchLinuxService, RedHatSSHService): -+ pass -+ -+ -+def archlinux_service_class_factory(name): -+ if name == 'sshd': -+ return ArchLinuxSSHService(name) -+ return ArchLinuxService(name) -+ -+ -+class ArchLinuxServices(RedHatServices): -+ def service_class_factory(self, name): -+ return archlinux_service_class_factory(name) -+ -+ -+service = archlinux_service_class_factory -+knownservices = ArchLinuxServices() -diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py -new file mode 100644 -index 0000000000000000000000000000000000000000..cae3245c874bd42f326b379e6bb39573f0b52acb ---- /dev/null -+++ b/ipaplatform/archlinux/tasks.py -@@ -0,0 +1,16 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.archlinux.paths import paths -+from ipaplatform.redhat.tasks import RedHatTaskNamespace -+ -+ -+class ArchLinuxTaskNamespace(RedHatTaskNamespace): -+ def restore_network_configuration(self, fstore, statestore): -+ filepath = paths.ETC_HOSTNAME -+ if fstore.has_file(filepath): -+ fstore.restore_file(filepath) -+ -+ -+tasks = ArchLinuxTaskNamespace() -diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in -index 11bb7573fd8a5c72da1c40ba4fd222fdc1a872d3..2d355fc1765b83a8b5945ab7e0b08f8781408216 100644 ---- a/ipaplatform/setup.py.in -+++ b/ipaplatform/setup.py.in -@@ -65,6 +65,7 @@ def setup_package(): - classifiers=[line for line in CLASSIFIERS.split('\n') if line], - package_dir = {'ipaplatform': ''}, - packages = ["ipaplatform", -+ "ipaplatform.archlinux", - "ipaplatform.base", - "ipaplatform.fedora", - "ipaplatform.redhat", --- -2.11.0 - diff --git a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch deleted file mode 100644 index 1899ba359df9..000000000000 --- a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 7002cc97bfa2ddc9666551e9b4536d6e106a0137 Mon Sep 17 00:00:00 2001 -From: Jan Cholasta <jcholast@redhat.com> -Date: Tue, 2 Aug 2016 12:56:44 +0200 -Subject: [PATCH] dogtag, vault: do not import `pki` in makeapi - ---- - ipaserver/plugins/dogtag.py | 2 +- - ipaserver/plugins/vault.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py -index 644b41e90f2d377ae9b70cf4719ab8789fdfc649..448b82b4a0749b6eb99ef7d1e3a9ea4501410a1d 100644 ---- a/ipaserver/plugins/dogtag.py -+++ b/ipaserver/plugins/dogtag.py -@@ -253,7 +253,7 @@ import ipapython.cookie - from ipapython import dogtag - from ipapython import ipautil - --if api.env.in_server: -+if not api.env.validate_api: - import pki - from pki.client import PKIConnection - import pki.crypto as cryptoutil -diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py -index 5c4c09685ceb95c6634306c4275008d602099e12..2f097e20327d88448dc470ab3ae719e585a4a8df 100644 ---- a/ipaserver/plugins/vault.py -+++ b/ipaserver/plugins/vault.py -@@ -35,7 +35,7 @@ from ipalib import _, ngettext - from ipapython import kerberos - from ipapython.dn import DN - --if api.env.in_server: -+if not api.env.validate_api: - import pki.account - import pki.key - --- -2.11.0 - diff --git a/0002-platform-add-Arch-Linux-platform.patch b/0002-platform-add-Arch-Linux-platform.patch new file mode 100644 index 000000000000..420baecf153d --- /dev/null +++ b/0002-platform-add-Arch-Linux-platform.patch @@ -0,0 +1,200 @@ +From 7af1f4b3c8d0130f6c6d61765d8396b2e8b7a508 Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:31:08 -0400 +Subject: [PATCH 2/2] platform: add Arch Linux platform + +This patch has been adapted from the patches provided with freeipa package +in the Arch User Repository (AUR). + +Signed-off-by: Jan Cholasta <jcholast@redhat.com> +--- + client/man/ipa-client-automount.1 | 4 ++-- + client/man/ipa-client-install.1 | 4 ++-- + ipaplatform/arch/__init__.py | 3 +++ + ipaplatform/arch/constants.py | 12 ++++++++++++ + ipaplatform/arch/paths.py | 22 ++++++++++++++++++++++ + ipaplatform/arch/services.py | 30 ++++++++++++++++++++++++++++++ + ipaplatform/arch/tasks.py | 19 +++++++++++++++++++ + ipaplatform/setup.py | 1 + + 8 files changed, 91 insertions(+), 4 deletions(-) + create mode 100644 ipaplatform/arch/__init__.py + create mode 100644 ipaplatform/arch/constants.py + create mode 100644 ipaplatform/arch/paths.py + create mode 100644 ipaplatform/arch/services.py + create mode 100644 ipaplatform/arch/tasks.py + +diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1 +index 8b9989dec..2399250b1 100644 +--- a/client/man/ipa-client-automount.1 ++++ b/client/man/ipa-client-automount.1 +@@ -29,7 +29,7 @@ The automount configuration consists of three files: + .IP o + /etc/nsswitch.conf + .IP o +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + .IP o + /etc/autofs_ldap_auth.conf + +@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default): + .TP + Files that will be configured when using the ldap automount client: + +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + + /etc/autofs_ldap_auth.conf + +diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 +index 319952cb6..d01ccec64 100644 +--- a/client/man/ipa-client-install.1 ++++ b/client/man/ipa-client-install.1 +@@ -250,7 +250,7 @@ Files replaced if NTP is enabled: + + /etc/ntp.conf + .br +-/etc/sysconfig/ntpd ++/etc/conf.d/ntpd.conf + .br + /etc/ntp/step\-tickers + .TP +@@ -272,7 +272,7 @@ Files updated, existing content is maintained: + .br + /etc/krb5.keytab + .br +-/etc/sysconfig/network ++/etc/hostname + .SH "EXIT STATUS" + 0 if the installation was successful + +diff --git a/ipaplatform/arch/__init__.py b/ipaplatform/arch/__init__.py +new file mode 100644 +index 000000000..9da42e7b4 +--- /dev/null ++++ b/ipaplatform/arch/__init__.py +@@ -0,0 +1,3 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# +diff --git a/ipaplatform/arch/constants.py b/ipaplatform/arch/constants.py +new file mode 100644 +index 000000000..b4857aa7c +--- /dev/null ++++ b/ipaplatform/arch/constants.py +@@ -0,0 +1,12 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat.constants import RedHatConstantsNamespace ++ ++ ++class ArchConstantsNamespace(RedHatConstantsNamespace): ++ pass ++ ++ ++constants = ArchConstantsNamespace() +diff --git a/ipaplatform/arch/paths.py b/ipaplatform/arch/paths.py +new file mode 100644 +index 000000000..27721cf2f +--- /dev/null ++++ b/ipaplatform/arch/paths.py +@@ -0,0 +1,22 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat.paths import RedHatPathNamespace ++ ++ ++class ArchPathNamespace(RedHatPathNamespace): ++ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf" ++ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" ++ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf" ++ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf" ++ SYSCONFIG_AUTOFS = "/etc/default/autofs" ++ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = ( ++ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit") ++ DOGTAG_IPA_RENEW_AGENT_SUBMIT = ( ++ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit") ++ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard" ++ LIB64_FIREFOX = "/usr/lib/firefox" ++ ++ ++paths = ArchPathNamespace() +diff --git a/ipaplatform/arch/services.py b/ipaplatform/arch/services.py +new file mode 100644 +index 000000000..4ddfb53c9 +--- /dev/null ++++ b/ipaplatform/arch/services.py +@@ -0,0 +1,30 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat import services as redhat_services ++ ++arch_system_units = dict(redhat_services.redhat_system_units) ++arch_system_units['messagebus'] = 'dbus.service' ++arch_system_units['rpcgssd'] = 'rpc-gssd.service' ++arch_system_units['rpcidmapd'] = 'rpc-idmapd.service' ++ ++ ++class ArchService(redhat_services.RedHatService): ++ system_units = arch_system_units ++ ++ ++def arch_service_class_factory(name, api=None): ++ if name in {'messagebus', 'rpcgssd', 'rpcidmapd'}: ++ return ArchService(name, api) ++ return redhat_services.redhat_service_class_factory(name, api) ++ ++ ++class ArchServices(redhat_services.RedHatServices): ++ def service_class_factory(self, name, api=None): ++ return arch_service_class_factory(name, api) ++ ++ ++timedate_services = redhat_services.timedate_services ++service = arch_service_class_factory ++knownservices = ArchServices() +diff --git a/ipaplatform/arch/tasks.py b/ipaplatform/arch/tasks.py +new file mode 100644 +index 000000000..58b837d79 +--- /dev/null ++++ b/ipaplatform/arch/tasks.py +@@ -0,0 +1,19 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.arch.paths import paths ++from ipaplatform.redhat.tasks import RedHatTaskNamespace ++ ++ ++class ArchTaskNamespace(RedHatTaskNamespace): ++ def restore_network_configuration(self, fstore, statestore): ++ filepath = paths.ETC_HOSTNAME ++ if fstore.has_file(filepath): ++ fstore.restore_file(filepath) ++ ++ def is_fips_enabled(self): ++ return False ++ ++ ++tasks = ArchTaskNamespace() +diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py +index 501e2bc56..b47875164 100644 +--- a/ipaplatform/setup.py ++++ b/ipaplatform/setup.py +@@ -34,6 +34,7 @@ if __name__ == '__main__': + package_dir={'ipaplatform': ''}, + packages=[ + "ipaplatform", ++ "ipaplatform.arch", + "ipaplatform.base", + "ipaplatform.debian", + "ipaplatform.fedora", +-- +2.13.3 + diff --git a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch deleted file mode 100644 index 6210e954f134..000000000000 --- a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 016245420bfc0a344ddc220cef449e732f8c6a06 Mon Sep 17 00:00:00 2001 -From: Jan Cholasta <jcholast@redhat.com> -Date: Tue, 2 Aug 2016 13:49:36 +0200 -Subject: [PATCH] client install: do not assume /etc/krb5.conf.d exists - ---- - client/ipa-client-install | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/client/ipa-client-install b/client/ipa-client-install -index 74d5d8aae66877dfee9436227bd6c47b7f0fb204..0bbfdab7701c7a6200d087c06d1bdc0559c4433c 100755 ---- a/client/ipa-client-install -+++ b/client/ipa-client-install -@@ -1076,8 +1076,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, - krbconf.setIndent((""," "," ")) - - opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, -- {'name':'empty', 'type':'empty'}, -- {'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}] -+ {'name':'empty', 'type':'empty'}] -+ -+ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): -+ opts.append({'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}) - - # SSSD include dir - if options.sssd: --- -2.11.0 - @@ -9,145 +9,185 @@ pkgname=(python-ipalib freeipa-common freeipa-client-common freeipa-client) -pkgver=4.4.3 +pkgver=4.5.3 pkgrel=1 pkgdesc='The Identity, Policy and Audit system' arch=('i686' 'x86_64') url='http://www.freeipa.org/' license=('GPL3') -makedepends=('nspr' - 'nss' - 'openssl' - 'openldap' - 'krb5>=1.13' - 'libutil-linux' - 'curl>7.21.7' +makedepends=('openldap' + 'krb5>=1.15.1' 'xmlrpc-c>=1.27.4' 'popt' + 'gettext' 'python' + 'python-setuptools' 'python2' - 'python2-ldap' 'python2-setuptools' + 'nspr' + 'nss' + 'openssl' + 'ding-libs' + 'libsasl' + 'python2-ldap' 'python2-nss' - 'python2-cryptography>=0.9' - 'python2-netaddr' - 'python2-gssapi>=1.1.2' - 'python2-memcached' - 'sssd>=1.14.0' - 'python2-lxml' - 'python2-pyasn1>=0.0.9a' - 'python2-qrcode' - 'python2-dnspython>=1.11.1' - 'systemd' - 'libunistring' - 'python2-yubico>=1.2.3' + 'python2-netaddr>=0.7.16' + 'python2-pyasn1' + 'python2-pyasn1-modules' + 'python2-dnspython' 'python2-six' - 'ding-libs>=0.5.0' - 'python2-dbus' - 'python2-netifaces') -source=("http://freeipa.org/downloads/src/freeipa-$pkgver.tar.gz" - 0001-platform-add-Arch-Linux-platform.patch - 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch - 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch) -sha256sums=('7ab844e16ba23dff9c71d47f59f105a8b2fdb6c407a56326c32528e8e7bb0773' - '73bff9f3677b98c09ff45dd8e2aae7080e0f93218956b978d07346005dab7b6b' - 'e797910b18f7ed3063a9a454b261960fda2ab133f79ee070bee16e4745489d03' - 'bc095e230652a8b421bfd1adb546aa4e720bfe8d15f6a9d6872eccac79b3dcbc') + 'sssd>=1.13.0' + 'python2-cffi' + 'python-jinja' + 'python-pyasn1-modules' + 'python2-jinja') +options=(emptydirs) +source=("https://releases.pagure.org/freeipa/freeipa-${pkgver}.tar.gz" + 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch + 0002-platform-add-Arch-Linux-platform.patch + freeipa-client-update-sshd_config + freeipa-client-update-sshd_config.hook) +sha256sums=('94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b' + 'ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e' + 'f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369' + '9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d' + '1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d') prepare() { - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - rm -rf ipaplatform/archlinux + rm -rf ipaplatform/arch - patch -p1 <"$srcdir"/0001-platform-add-Arch-Linux-platform.patch - patch -p1 <"$srcdir"/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch - patch -p1 <"$srcdir"/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch + patch -p1 -i"$srcdir"/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch + patch -p1 -i"$srcdir"/0002-platform-add-Arch-Linux-platform.patch + + # Workaround: We want to build Python things twice. To be sure we do not mess + # up something, do two separate builds in separate directories. + cp -r ../freeipa-${pkgver} ../freeipa-${pkgver}-python3 } build() { - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - # Arch specific export PYTHON=/usr/bin/python2 - mkdir -p _install - - export SUPPORTED_PLATFORM=archlinux - - # Force re-generate of platform support - export IPA_VENDOR_VERSION_SUFFIX=-$pkgrel - rm -f ipapython/version.py - rm -f ipaplatform/services.py - rm -f ipaplatform/tasks.py - rm -f ipaplatform/paths.py - rm -f ipaplatform/constants.py - make version-update - cd client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd .. - - make IPA_VERSION_IS_GIT_SNAPSHOT=no client - - make client-install DESTDIR="$PWD"/_install - - (cd ipalib && make PYTHON=/usr/bin/python3 IPA_VERSION_IS_GIT_SNAPSHOT=no DESTDIR=../_install install) - (cd ipapython && make PYTHON=/usr/bin/python3 IPA_VERSION_IS_GIT_SNAPSHOT=no DESTDIR=../_install install) - (cd ipaplatform && /usr/bin/python3 setup.py install --root ../_install) - (cd ipaclient && /usr/bin/python3 setup.py install --root ../_install) - - # Switch shebang of /usr/bin/ipa - # XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2 - # in any case - sed -i -e'1s/python\(3\|$\)/python2/' _install/usr/bin/ipa - - mkdir -p _install/usr/share/ipa - - mkdir -p _install/etc/ipa/ - mkdir -p _install/etc/ipa/nssdb - mkdir -p _install/var/lib/ipa-client/sysrestore - mkdir -p _install/etc/bash_completion.d - install -pm 644 contrib/completion/ipa.bash_completion _install/etc/bash_completion.d/ipa + # Workaround: make sure all shebangs are pointing to Python 2 + # This should be solved properly using setuptools + # and this hack should be removed. + find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python2|' {} \; + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --sbindir=/usr/bin \ + --with-vendor-suffix=-arch-${pkgrel} \ + --disable-server \ + --without-ipatests \ + --disable-pylint --without-jslint + + make + + pushd ../freeipa-${pkgver}-python3 + export PYTHON=/usr/bin/python3 + # Workaround: make sure all shebangs are pointing to Python 3 + # This should be solved properly using setuptools + # and this hack should be removed. + find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python3|' {} \; + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --sbindir=/usr/bin \ + --with-vendor-suffix=-arch-${pkgrel} \ + --disable-server \ + --without-ipatests \ + --disable-pylint --without-jslint + popd + + mkdir -p ../install + + # Please put as much logic as possible into make install. It allows: + # - easier porting to other distributions + # - rapid devel & install cycle using make install + # (instead of full RPM build and installation each time) + # + # All files and directories created by spec install should be marked as ghost. + # (These are typically configuration files created by IPA installer.) + # All other artifacts should be created by make install. + # + # Exception to this rule are test programs which where want to install + # Python2/3 versions at the same time so we need to rename them. Yuck. + + # Python 3 installation needs to be done first. Subsequent Python 2 install + # will overwrite /usr/bin/ipa and other scripts with variants using + # python2 shebang. + pushd ../freeipa-${pkgver}-python3 + (cd ipaclient && make install DESTDIR=../../install) + (cd ipalib && make install DESTDIR=../../install) + (cd ipaplatform && make install DESTDIR=../../install) + (cd ipapython && make install DESTDIR=../../install) + popd + + # Python 2 installation + make install DESTDIR="$PWD"/../install + + # remove files which are useful only for make uninstall + find ../install -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; + + /bin/touch ../install/etc/ipa/default.conf + /bin/touch ../install/etc/ipa/ca.crt + + mkdir -p ../install/etc/ipa/ + mkdir -p ../install/etc/ipa/nssdb + mkdir -p ../install/var/lib/ipa-client/pki + mkdir -p ../install/var/lib/ipa-client/sysrestore } package_python-ipalib() { pkgdesc='Python libraries used by IPA' arch=('any') depends=("freeipa-common=$pkgver-$pkgrel" - 'python-gssapi>=1.1.2' + 'python-gssapi>=1.2.0' 'gnupg' 'keyutils' 'python-nss>=0.16' - 'python-cryptography>=0.9' - 'python-lxml' - 'python-netaddr' + 'python-cryptography>=1.4' + 'python-netaddr>=0.7.16' 'sssd' 'python-qrcode>=5.0.0' 'python-pyasn1' + 'python-pyasn1-modules' 'python-dateutil' 'python-yubico>=1.2.3' 'python-dbus' 'python-setuptools' 'python-six' 'python-pyldap>=2.4.15' - 'python-dnspython>=1.11.1' + 'python-dnspython>=1.15' 'python-netifaces>=0.10.4' 'python-pyusb') provides=("python-ipapython=$pkgver-$pkgrel" "python-ipaplatform=$pkgver-$pkgrel") - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/usr/lib/python3.*/site-packages/ipapython \ - _install/usr/lib/python3.*/site-packages/ipalib \ - _install/usr/lib/python3.*/site-packages/ipaplatform \ - _install/usr/lib/python3.*/site-packages/ipapython-*.egg-info \ - _install/usr/lib/python3.*/site-packages/ipalib-*.egg-info \ - _install/usr/lib/python3.*/site-packages/ipaplatform-*.egg-info + for _file in ../install/usr/lib/python3.*/site-packages/ipapython \ + ../install/usr/lib/python3.*/site-packages/ipalib \ + ../install/usr/lib/python3.*/site-packages/ipaplatform \ + ../install/usr/lib/python3.*/site-packages/ipapython-*.egg-info \ + ../install/usr/lib/python3.*/site-packages/ipalib-*.egg-info \ + ../install/usr/lib/python3.*/site-packages/ipaplatform-*.egg-info do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -157,20 +197,21 @@ package_python-ipaclient() { depends=("freeipa-client-common=$pkgver-$pkgrel" "freeipa-common=$pkgver-$pkgrel" "python-ipalib=$pkgver-$pkgrel" - 'python-dnspython>=1.11.1') + 'python-dnspython>=1.15' + 'python-jinja') - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/usr/lib/python3.*/site-packages/ipaclient \ - _install/usr/lib/python3.*/site-packages/ipaclient-*.egg-info + for _file in ../install/usr/lib/python3.*/site-packages/ipaclient \ + ../install/usr/lib/python3.*/site-packages/ipaclient-*.egg-info do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -178,23 +219,25 @@ package_python2-ipalib() { pkgdesc='Python libraries used by IPA' arch=('any') depends=("freeipa-common=$pkgver-$pkgrel" - 'python2-gssapi>=1.1.2' + 'python2-gssapi>=1.2.0' 'gnupg' 'keyutils' + 'python2>=2.7.9' 'python2-nss>=0.16' - 'python2-cryptography>=0.9' - 'python2-lxml' - 'python2-netaddr' + 'python2-cryptography>=1.4' + 'python2-netaddr>=0.7.16' 'sssd' 'python2-qrcode>=5.0.0' 'python2-pyasn1' + 'python2-pyasn1-modules' 'python2-dateutil' 'python2-yubico>=1.2.3' 'python2-dbus' 'python2-setuptools' 'python2-six' 'python2-ldap>=2.4.15' - 'python2-dnspython>=1.11.1' + 'python2-dnspython>=1.15' + 'python2-enum34' 'python2-netifaces>=0.10.4' 'python2-pyusb') provides=("python2-ipapython=$pkgver-$pkgrel" @@ -202,22 +245,22 @@ package_python2-ipalib() { conflicts=('freeipa-python') replaces=('freeipa-python') - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/usr/lib/python2.*/site-packages/ipapython \ - _install/usr/lib/python2.*/site-packages/ipalib \ - _install/usr/lib/python2.*/site-packages/ipaplatform \ - _install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \ - _install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \ - _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info + for _file in ../install/usr/lib/python2.*/site-packages/ipapython \ + ../install/usr/lib/python2.*/site-packages/ipalib \ + ../install/usr/lib/python2.*/site-packages/ipaplatform \ + ../install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \ + ../install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \ + ../install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -227,20 +270,21 @@ package_python2-ipaclient() { depends=("freeipa-client-common=$pkgver-$pkgrel" "freeipa-common=$pkgver-$pkgrel" "python2-ipalib=$pkgver-$pkgrel" - 'python2-dnspython>=1.11.1') + 'python2-dnspython>=1.15' + 'python2-jinja') - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/usr/lib/python2.*/site-packages/ipaclient \ - _install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info + for _file in ../install/usr/lib/python2.*/site-packages/ipaclient \ + ../install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -250,17 +294,17 @@ package_freeipa-common() { conflicts=('freeipa-python') replaces=('freeipa-python') - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/usr/share/locale/*/*/ipa.mo + for _file in ../install/usr/share/locale/*/*/ipa.mo do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -268,20 +312,20 @@ package_freeipa-client-common() { pkgdesc='Common files used by IPA client' arch=('any') - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/etc/ipa/nssdb \ - _install/usr/share/ipa \ - _install/var/lib/ipa-client/sysrestore \ - _install/usr/share/man/man5/default.conf.5.gz + for _file in ../install/etc/ipa/nssdb \ + ../install/var/lib/ipa-client/pki \ + ../install/var/lib/ipa-client/sysrestore \ + ../install/usr/share/man/man5/default.conf.5* do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } @@ -304,7 +348,7 @@ package_freeipa-client() { 'nss' 'bind-tools' 'oddjob' - 'python2-gssapi>=1.1.2' + 'python2-gssapi>=1.2.0' 'autofs' 'nfsidmap' 'nfs-utils') @@ -312,30 +356,35 @@ package_freeipa-client() { replaces=('freeipa-admintools') install=freeipa-client.install - cd "${pkgbase}-${pkgver}" + cd freeipa-${pkgver} + + install -D -t"$pkgdir"/usr/share/libalpm/scripts \ + "$srcdir"/freeipa-client-update-sshd_config + install -D -m644 -t"$pkgdir"/usr/share/libalpm/hooks \ + "$srcdir"/freeipa-client-update-sshd_config.hook \ - install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \ Contributors.txt local _file - for _file in _install/etc/bash_completion.d \ - _install/usr/bin/ipa \ - _install/usr/bin/ipa-client-install \ - _install/usr/bin/ipa-client-automount \ - _install/usr/bin/ipa-certupdate \ - _install/usr/bin/ipa-getkeytab \ - _install/usr/bin/ipa-rmkeytab \ - _install/usr/bin/ipa-join \ - _install/usr/share/man/man1/ipa.1 \ - _install/usr/share/man/man1/ipa-getkeytab.1.gz \ - _install/usr/share/man/man1/ipa-rmkeytab.1.gz \ - _install/usr/share/man/man1/ipa-client-install.1.gz \ - _install/usr/share/man/man1/ipa-client-automount.1.gz \ - _install/usr/share/man/man1/ipa-certupdate.1.gz \ - _install/usr/share/man/man1/ipa-join.1.gz + for _file in ../install/etc/bash_completion.d \ + ../install/usr/bin/ipa \ + ../install/usr/bin/ipa-client-install \ + ../install/usr/bin/ipa-client-automount \ + ../install/usr/bin/ipa-certupdate \ + ../install/usr/bin/ipa-getkeytab \ + ../install/usr/bin/ipa-rmkeytab \ + ../install/usr/bin/ipa-join \ + ../install/usr/share/man/man1/ipa.1 \ + ../install/usr/share/man/man1/ipa-getkeytab.1* \ + ../install/usr/share/man/man1/ipa-rmkeytab.1* \ + ../install/usr/share/man/man1/ipa-client-install.1* \ + ../install/usr/share/man/man1/ipa-client-automount.1* \ + ../install/usr/share/man/man1/ipa-certupdate.1* \ + ../install/usr/share/man/man1/ipa-join.1* do - _file="${_file#_install/}" + _file="${_file#../install/}" mkdir -p "$pkgdir"/"${_file%/*}" - mv _install/"$_file" "$pkgdir"/"$_file" + mv ../install/"$_file" "$pkgdir"/"$_file" done } diff --git a/freeipa-client-update-sshd_config b/freeipa-client-update-sshd_config new file mode 100755 index 000000000000..94cb255ca40e --- /dev/null +++ b/freeipa-client-update-sshd_config @@ -0,0 +1,35 @@ +#!/bin/bash + +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv -Z/etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + chmod 644 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi diff --git a/freeipa-client-update-sshd_config.hook b/freeipa-client-update-sshd_config.hook new file mode 100644 index 000000000000..410d6f5334fb --- /dev/null +++ b/freeipa-client-update-sshd_config.hook @@ -0,0 +1,9 @@ +[Trigger] +Operation=Install +Operation=Upgrade +Type=Package +Target=openssh + +[Action] +When=PostTransaction +Exec=/usr/share/libalpm/scripts/freeipa-client-update-sshd_config diff --git a/freeipa-client.install b/freeipa-client.install index d2e6d3dc1c8c..5778c35f0615 100644 --- a/freeipa-client.install +++ b/freeipa-client.install @@ -11,50 +11,25 @@ post_upgrade() { fi fi - if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then - if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then - sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew - mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd + if [ $restore -ge 2 ]; then + if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then + sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem + fi + fi + + if [ -f '/etc/conf.d/ntpd.conf' -a $restore -ge 2 ]; then + if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/conf.d/ntpd.conf 2>/dev/null; then + sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/conf.d/ntpd.conf >/etc/conf.d/ntpd.conf.ipanew + mv -Z /etc/conf.d/ntpd.conf.ipanew /etc/conf.d/ntpd.conf /bin/systemctl condrestart ntpd.service 2>&1 || : fi fi if [ $restore -ge 2 ]; then - python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 - fi - - # Has the client been configured? - restore=0 - test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - - if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then - if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then - sed -r ' - /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d - ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew - - if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ - s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - fi - - mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - chmod 600 /etc/ssh/sshd_config - - /bin/systemctl condrestart sshd.service 2>&1 || : - fi + python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi } |