summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta2017-06-27 09:51:41 +0200
committerJan Cholasta2017-07-28 16:06:53 +0200
commitbfc22a02d2f0d508e1248a403d8a4334d0827b38 (patch)
tree99a70b35ce5826bc95d3cc4cd36b28488b57982a
parent7cf0bd5dc82ca4c20410dd5341c7ace5e185f0c0 (diff)
downloadaur-bfc22a02d2f0d508e1248a403d8a4334d0827b38.tar.gz
freeipa-4.5.3-1
Diffstat
-rw-r--r--.SRCINFO121
-rw-r--r--0001-install-do-not-assume-etc-krb5.conf.d-exists.patch196
-rw-r--r--0001-platform-add-Arch-Linux-platform.patch205
-rw-r--r--0002-dogtag-vault-do-not-import-pki-in-makeapi.patch39
-rw-r--r--0002-platform-add-Arch-Linux-platform.patch200
-rw-r--r--0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch29
-rw-r--r--PKGBUILD351
-rwxr-xr-xfreeipa-client-update-sshd_config35
-rw-r--r--freeipa-client-update-sshd_config.hook9
-rw-r--r--freeipa-client.install53
10 files changed, 716 insertions, 522 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 23c060e0a86a..27a3d02588b5 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,119 +1,122 @@
pkgbase = freeipa
pkgdesc = The Identity, Policy and Audit system
- pkgver = 4.4.3
+ pkgver = 4.5.3
pkgrel = 1
url = http://www.freeipa.org/
arch = i686
arch = x86_64
license = GPL3
- makedepends = nspr
- makedepends = nss
- makedepends = openssl
makedepends = openldap
- makedepends = krb5>=1.13
- makedepends = libutil-linux
- makedepends = curl>7.21.7
+ makedepends = krb5>=1.15.1
makedepends = xmlrpc-c>=1.27.4
makedepends = popt
+ makedepends = gettext
makedepends = python
+ makedepends = python-setuptools
makedepends = python2
- makedepends = python2-ldap
makedepends = python2-setuptools
+ makedepends = nspr
+ makedepends = nss
+ makedepends = openssl
+ makedepends = ding-libs
+ makedepends = libsasl
+ makedepends = python2-ldap
makedepends = python2-nss
- makedepends = python2-cryptography>=0.9
- makedepends = python2-netaddr
- makedepends = python2-gssapi>=1.1.2
- makedepends = python2-memcached
- makedepends = sssd>=1.14.0
- makedepends = python2-lxml
- makedepends = python2-pyasn1>=0.0.9a
- makedepends = python2-qrcode
- makedepends = python2-dnspython>=1.11.1
- makedepends = systemd
- makedepends = libunistring
- makedepends = python2-yubico>=1.2.3
+ makedepends = python2-netaddr>=0.7.16
+ makedepends = python2-pyasn1
+ makedepends = python2-pyasn1-modules
+ makedepends = python2-dnspython
makedepends = python2-six
- makedepends = ding-libs>=0.5.0
- makedepends = python2-dbus
- makedepends = python2-netifaces
- source = http://freeipa.org/downloads/src/freeipa-4.4.3.tar.gz
- source = 0001-platform-add-Arch-Linux-platform.patch
- source = 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
- source = 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
- sha256sums = 7ab844e16ba23dff9c71d47f59f105a8b2fdb6c407a56326c32528e8e7bb0773
- sha256sums = 73bff9f3677b98c09ff45dd8e2aae7080e0f93218956b978d07346005dab7b6b
- sha256sums = e797910b18f7ed3063a9a454b261960fda2ab133f79ee070bee16e4745489d03
- sha256sums = bc095e230652a8b421bfd1adb546aa4e720bfe8d15f6a9d6872eccac79b3dcbc
+ makedepends = sssd>=1.13.0
+ makedepends = python2-cffi
+ makedepends = python-jinja
+ makedepends = python-pyasn1-modules
+ makedepends = python2-jinja
+ options = emptydirs
+ source = https://releases.pagure.org/freeipa/freeipa-4.5.3.tar.gz
+ source = 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch
+ source = 0002-platform-add-Arch-Linux-platform.patch
+ source = freeipa-client-update-sshd_config
+ source = freeipa-client-update-sshd_config.hook
+ sha256sums = 94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b
+ sha256sums = ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e
+ sha256sums = f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369
+ sha256sums = 9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d
+ sha256sums = 1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d
pkgname = python-ipalib
pkgdesc = Python libraries used by IPA
arch = any
- depends = freeipa-common=4.4.3-1
- depends = python-gssapi>=1.1.2
+ depends = freeipa-common=4.5.3-1
+ depends = python-gssapi>=1.2.0
depends = gnupg
depends = keyutils
depends = python-nss>=0.16
- depends = python-cryptography>=0.9
- depends = python-lxml
- depends = python-netaddr
+ depends = python-cryptography>=1.4
+ depends = python-netaddr>=0.7.16
depends = sssd
depends = python-qrcode>=5.0.0
depends = python-pyasn1
+ depends = python-pyasn1-modules
depends = python-dateutil
depends = python-yubico>=1.2.3
depends = python-dbus
depends = python-setuptools
depends = python-six
depends = python-pyldap>=2.4.15
- depends = python-dnspython>=1.11.1
+ depends = python-dnspython>=1.15
depends = python-netifaces>=0.10.4
depends = python-pyusb
- provides = python-ipapython=4.4.3-1
- provides = python-ipaplatform=4.4.3-1
+ provides = python-ipapython=4.5.3-1
+ provides = python-ipaplatform=4.5.3-1
pkgname = python-ipaclient
pkgdesc = Python libraries used by IPA client
arch = any
- depends = freeipa-client-common=4.4.3-1
- depends = freeipa-common=4.4.3-1
- depends = python-ipalib=4.4.3-1
- depends = python-dnspython>=1.11.1
+ depends = freeipa-client-common=4.5.3-1
+ depends = freeipa-common=4.5.3-1
+ depends = python-ipalib=4.5.3-1
+ depends = python-dnspython>=1.15
+ depends = python-jinja
pkgname = python2-ipalib
pkgdesc = Python libraries used by IPA
arch = any
- depends = freeipa-common=4.4.3-1
- depends = python2-gssapi>=1.1.2
+ depends = freeipa-common=4.5.3-1
+ depends = python2-gssapi>=1.2.0
depends = gnupg
depends = keyutils
+ depends = python2>=2.7.9
depends = python2-nss>=0.16
- depends = python2-cryptography>=0.9
- depends = python2-lxml
- depends = python2-netaddr
+ depends = python2-cryptography>=1.4
+ depends = python2-netaddr>=0.7.16
depends = sssd
depends = python2-qrcode>=5.0.0
depends = python2-pyasn1
+ depends = python2-pyasn1-modules
depends = python2-dateutil
depends = python2-yubico>=1.2.3
depends = python2-dbus
depends = python2-setuptools
depends = python2-six
depends = python2-ldap>=2.4.15
- depends = python2-dnspython>=1.11.1
+ depends = python2-dnspython>=1.15
+ depends = python2-enum34
depends = python2-netifaces>=0.10.4
depends = python2-pyusb
- provides = python2-ipapython=4.4.3-1
- provides = python2-ipaplatform=4.4.3-1
+ provides = python2-ipapython=4.5.3-1
+ provides = python2-ipaplatform=4.5.3-1
conflicts = freeipa-python
replaces = freeipa-python
pkgname = python2-ipaclient
pkgdesc = Python libraries used by IPA client
arch = any
- depends = freeipa-client-common=4.4.3-1
- depends = freeipa-common=4.4.3-1
- depends = python2-ipalib=4.4.3-1
- depends = python2-dnspython>=1.11.1
+ depends = freeipa-client-common=4.5.3-1
+ depends = freeipa-common=4.5.3-1
+ depends = python2-ipalib=4.5.3-1
+ depends = python2-dnspython>=1.15
+ depends = python2-jinja
pkgname = freeipa-common
pkgdesc = Common files used by IPA
@@ -128,9 +131,9 @@ pkgname = freeipa-client-common
pkgname = freeipa-client
pkgdesc = IPA authentication for use on clients
install = freeipa-client.install
- depends = freeipa-client-common=4.4.3-1
- depends = freeipa-common=4.4.3-1
- depends = python2-ipaclient=4.4.3-1
+ depends = freeipa-client-common=4.5.3-1
+ depends = freeipa-common=4.5.3-1
+ depends = python2-ipaclient=4.5.3-1
depends = python2-ldap
depends = cyrus-sasl-gssapi
depends = ntp
@@ -144,7 +147,7 @@ pkgname = freeipa-client
depends = nss
depends = bind-tools
depends = oddjob
- depends = python2-gssapi>=1.1.2
+ depends = python2-gssapi>=1.2.0
depends = autofs
depends = nfsidmap
depends = nfs-utils
diff --git a/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch
new file mode 100644
index 000000000000..411f30112082
--- /dev/null
+++ b/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch
@@ -0,0 +1,196 @@
+From c2a9ff7a7d5384bdb036b8679b71527f5ff64bbd Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Mon, 20 Mar 2017 06:56:53 +0000
+Subject: [PATCH 1/2] install: do not assume /etc/krb5.conf.d exists
+
+Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
+/etc/krb5.conf.d exists.
+
+Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
+
+This fixes install on platforms which do not have /etc/krb5.conf.d.
+
+https://pagure.io/freeipa/issue/6589
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
+---
+ daemons/ipa-kdb/Makefile.am | 6 ------
+ daemons/ipa-kdb/ipa-certauth | 5 -----
+ freeipa.spec.in | 1 -
+ install/share/krb5.conf.template | 7 ++++++-
+ ipaclient/install/client.py | 16 ++++++++++------
+ ipaserver/install/krbinstance.py | 8 +++++++-
+ ipaserver/install/server/upgrade.py | 33 +++++++++++++++++++++++++++++++++
+ 8 files changed, 56 insertions(+), 21 deletions(-)
+ delete mode 100644 daemons/ipa-kdb/ipa-certauth
+
+diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
+index 259bc3b20..5669349af 100644
+--- a/daemons/ipa-kdb/Makefile.am
++++ b/daemons/ipa-kdb/Makefile.am
+@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports
+
+ if BUILD_IPA_CERTAUTH_PLUGIN
+ ipadb_la_SOURCES += ipa_kdb_certauth.c
+-
+-
+-krb5confdir = $(sysconfdir)/krb5.conf.d
+-krb5conf_DATA = ipa-certauth
+-else
+-dist_noinst_DATA += ipa-certauth
+ endif
+
+ ipadb_la_LDFLAGS = \
+diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth
+deleted file mode 100644
+index 6fde08284..000000000
+--- a/daemons/ipa-kdb/ipa-certauth
++++ /dev/null
+@@ -1,5 +0,0 @@
+-[plugins]
+- certauth = {
+- module = ipakdb:kdb/ipadb.so
+- enable_only = ipakdb
+- }
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index a8b5ce81f..80f302130 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -1207,7 +1207,6 @@ fi
+ %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
+ %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
+ %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
+-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
+ %dir %{_libexecdir}/ipa/certmonger
+ %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
+ # NOTE: systemd specific section
+diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
+index 1f18ff90d..e3420e537 100644
+--- a/install/share/krb5.conf.template
++++ b/install/share/krb5.conf.template
+@@ -1,4 +1,4 @@
+-includedir /etc/krb5.conf.d/
++$INCLUDES
+ includedir /var/lib/sss/pubconf/krb5.include.d/
+
+ [logging]
+@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS
+ db_library = ipadb.so
+ }
+
++[plugins]
++ certauth = {
++ module = ipakdb:kdb/ipadb.so
++ enable_only = ipakdb
++ }
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index c88061320..2d64a4494 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -640,14 +640,18 @@ def configure_krb5_conf(
+ 'value': 'File modified by ipa-client-install'
+ },
+ krbconf.emptyLine(),
+- {
+- 'name': 'includedir',
+- 'type': 'option',
+- 'value': paths.COMMON_KRB5_CONF_DIR,
+- 'delim': ' '
+- }
+ ]
+
++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
++ opts.extend([
++ {
++ 'name': 'includedir',
++ 'type': 'option',
++ 'value': paths.COMMON_KRB5_CONF_DIR,
++ 'delim': ' '
++ }
++ ])
++
+ # SSSD include dir
+ if configure_sssd:
+ opts.extend([
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index 6b51e65d1..f0875fbc9 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -249,6 +249,11 @@ class KrbInstance(service.Service):
+ root_logger.critical("krb5kdc service failed to start")
+
+ def __setup_sub_dict(self):
++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
++ includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
++ else:
++ includes = ''
++
+ self.sub_dict = dict(FQDN=self.fqdn,
+ IP=self.ip,
+ PASSWORD=self.kdc_password,
+@@ -264,7 +269,8 @@ class KrbInstance(service.Service):
+ KDC_KEY=paths.KDC_KEY,
+ CACERT_PEM=paths.CACERT_PEM,
+ KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+- CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
++ CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
++ INCLUDES=includes)
+
+ # IPA server/KDC is not a subdomain of default domain
+ # Proper domain-realm mapping needs to be specified
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 732776f2c..9c28c22fc 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1549,6 +1549,38 @@ def setup_pkinit(krb):
+ aug.close()
+
+
++def enable_certauth(krb):
++ root_logger.info("[Enable certauth]")
++
++ aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
++ loadpath=paths.USR_SHARE_IPA_DIR)
++ try:
++ aug.transform('IPAKrb5', paths.KRB5_CONF)
++ aug.load()
++
++ path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
++ modified = False
++
++ if not aug.match(path):
++ aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
++ aug.set('{}/enable_only'.format(path), 'ipakdb')
++ modified = True
++
++ if modified:
++ try:
++ aug.save()
++ except IOError:
++ for error_path in aug.match('/augeas//error'):
++ root_logger.error('augeas: %s', aug.get(error_path))
++ raise
++
++ if krb.is_running():
++ krb.stop()
++ krb.start()
++ finally:
++ aug.close()
++
++
+ def disable_httpd_system_trust(http):
+ ca_certs = []
+
+@@ -1842,6 +1874,7 @@ def upgrade_configuration():
+ CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
+ krb.add_anonymous_principal()
+ setup_pkinit(krb)
++ enable_certauth(krb)
+
+ if not ds_running:
+ ds.stop(ds_serverid)
+--
+2.13.3
+
diff --git a/0001-platform-add-Arch-Linux-platform.patch b/0001-platform-add-Arch-Linux-platform.patch
deleted file mode 100644
index cdf92d8ceed1..000000000000
--- a/0001-platform-add-Arch-Linux-platform.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-From 57f997fefd917d9d8d13b1d94982c9a9b09156f6 Mon Sep 17 00:00:00 2001
-From: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
-Date: Wed, 16 Apr 2014 19:31:08 -0400
-Subject: [PATCH] platform: add Arch Linux platform
-
-This patch has been adapted from the patches provided with freeipa package
-in the Arch User Repository (AUR).
-
-Signed-off-by: Jan Cholasta <jcholast@redhat.com>
----
- client/man/ipa-client-automount.1 | 4 ++--
- client/man/ipa-client-install.1 | 4 ++--
- ipaplatform/archlinux/__init__.py | 3 +++
- ipaplatform/archlinux/constants.py | 12 ++++++++++++
- ipaplatform/archlinux/paths.py | 22 ++++++++++++++++++++++
- ipaplatform/archlinux/services.py | 38 ++++++++++++++++++++++++++++++++++++++
- ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++
- ipaplatform/setup.py.in | 1 +
- 8 files changed, 96 insertions(+), 4 deletions(-)
- create mode 100644 ipaplatform/archlinux/__init__.py
- create mode 100644 ipaplatform/archlinux/constants.py
- create mode 100644 ipaplatform/archlinux/paths.py
- create mode 100644 ipaplatform/archlinux/services.py
- create mode 100644 ipaplatform/archlinux/tasks.py
-
-diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
-index 5b60503f1304d0a0b03a8862708ba126c50c7eff..16ccbeadc6a453ad43343c68b4662c089a359aaa 100644
---- a/client/man/ipa-client-automount.1
-+++ b/client/man/ipa-client-automount.1
-@@ -29,7 +29,7 @@ The automount configuration consists of three files:
- .IP o
- /etc/nsswitch.conf
- .IP o
--/etc/sysconfig/autofs
-+/etc/conf.d/autofs
- .IP o
- /etc/autofs_ldap_auth.conf
-
-@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default):
- .TP
- Files that will be configured when using the ldap automount client:
-
--/etc/sysconfig/autofs
-+/etc/conf.d/autofs
-
- /etc/autofs_ldap_auth.conf
-
-diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
-index 26c940721413a785068b6b79622a42a816c1ef77..468695cf06c76a899ca94af4f83f818f8afdc9f2 100644
---- a/client/man/ipa-client-install.1
-+++ b/client/man/ipa-client-install.1
-@@ -257,7 +257,7 @@ Files replaced if NTP is enabled:
-
- /etc/ntp.conf
- .br
--/etc/sysconfig/ntpd
-+/etc/conf.d/ntpd.conf
- .br
- /etc/ntp/step\-tickers
- .TP
-@@ -279,7 +279,7 @@ Files updated, existing content is maintained:
- .br
- /etc/krb5.keytab
- .br
--/etc/sysconfig/network
-+/etc/hostname
- .SH "EXIT STATUS"
- 0 if the installation was successful
-
-diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..9da42e7b4d782ef596e8fda080b6c1994b901866
---- /dev/null
-+++ b/ipaplatform/archlinux/__init__.py
-@@ -0,0 +1,3 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..148abd83f72d12263659f78326fdabd91bed5227
---- /dev/null
-+++ b/ipaplatform/archlinux/constants.py
-@@ -0,0 +1,12 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.redhat.constants import RedHatConstantsNamespace
-+
-+
-+class ArchLinuxConstantsNamespace(RedHatConstantsNamespace):
-+ pass
-+
-+
-+constants = ArchLinuxConstantsNamespace()
-diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..a7b8ea7b4cc959c4237a16fd68e7422bf1a359a1
---- /dev/null
-+++ b/ipaplatform/archlinux/paths.py
-@@ -0,0 +1,22 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.redhat.paths import RedHatPathNamespace
-+
-+
-+class ArchLinuxPathNamespace(RedHatPathNamespace):
-+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf"
-+ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
-+ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf"
-+ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf"
-+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
-+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = (
-+ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit")
-+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = (
-+ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit")
-+ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard"
-+ LIB64_FIREFOX = "/usr/lib/firefox"
-+
-+
-+paths = ArchLinuxPathNamespace()
-diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..c0fb6fb9403422f2699ef1a2e5521d7871dac3a0
---- /dev/null
-+++ b/ipaplatform/archlinux/services.py
-@@ -0,0 +1,38 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.redhat.services import (RedHatService,
-+ redhat_service_class_factory,
-+ RedHatServices,
-+ RedHatSSHService,
-+ redhat_system_units,
-+ timedate_services)
-+
-+archlinux_system_units = dict(redhat_system_units)
-+archlinux_system_units['messagebus'] = 'dbus.service'
-+archlinux_system_units['rpcgssd'] = 'rpc-gssd.service'
-+archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service'
-+
-+
-+class ArchLinuxService(RedHatService):
-+ system_units = archlinux_system_units
-+
-+
-+class ArchLinuxSSHService(ArchLinuxService, RedHatSSHService):
-+ pass
-+
-+
-+def archlinux_service_class_factory(name):
-+ if name == 'sshd':
-+ return ArchLinuxSSHService(name)
-+ return ArchLinuxService(name)
-+
-+
-+class ArchLinuxServices(RedHatServices):
-+ def service_class_factory(self, name):
-+ return archlinux_service_class_factory(name)
-+
-+
-+service = archlinux_service_class_factory
-+knownservices = ArchLinuxServices()
-diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..cae3245c874bd42f326b379e6bb39573f0b52acb
---- /dev/null
-+++ b/ipaplatform/archlinux/tasks.py
-@@ -0,0 +1,16 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.archlinux.paths import paths
-+from ipaplatform.redhat.tasks import RedHatTaskNamespace
-+
-+
-+class ArchLinuxTaskNamespace(RedHatTaskNamespace):
-+ def restore_network_configuration(self, fstore, statestore):
-+ filepath = paths.ETC_HOSTNAME
-+ if fstore.has_file(filepath):
-+ fstore.restore_file(filepath)
-+
-+
-+tasks = ArchLinuxTaskNamespace()
-diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in
-index 11bb7573fd8a5c72da1c40ba4fd222fdc1a872d3..2d355fc1765b83a8b5945ab7e0b08f8781408216 100644
---- a/ipaplatform/setup.py.in
-+++ b/ipaplatform/setup.py.in
-@@ -65,6 +65,7 @@ def setup_package():
- classifiers=[line for line in CLASSIFIERS.split('\n') if line],
- package_dir = {'ipaplatform': ''},
- packages = ["ipaplatform",
-+ "ipaplatform.archlinux",
- "ipaplatform.base",
- "ipaplatform.fedora",
- "ipaplatform.redhat",
---
-2.11.0
-
diff --git a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
deleted file mode 100644
index 1899ba359df9..000000000000
--- a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 7002cc97bfa2ddc9666551e9b4536d6e106a0137 Mon Sep 17 00:00:00 2001
-From: Jan Cholasta <jcholast@redhat.com>
-Date: Tue, 2 Aug 2016 12:56:44 +0200
-Subject: [PATCH] dogtag, vault: do not import `pki` in makeapi
-
----
- ipaserver/plugins/dogtag.py | 2 +-
- ipaserver/plugins/vault.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
-index 644b41e90f2d377ae9b70cf4719ab8789fdfc649..448b82b4a0749b6eb99ef7d1e3a9ea4501410a1d 100644
---- a/ipaserver/plugins/dogtag.py
-+++ b/ipaserver/plugins/dogtag.py
-@@ -253,7 +253,7 @@ import ipapython.cookie
- from ipapython import dogtag
- from ipapython import ipautil
-
--if api.env.in_server:
-+if not api.env.validate_api:
- import pki
- from pki.client import PKIConnection
- import pki.crypto as cryptoutil
-diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
-index 5c4c09685ceb95c6634306c4275008d602099e12..2f097e20327d88448dc470ab3ae719e585a4a8df 100644
---- a/ipaserver/plugins/vault.py
-+++ b/ipaserver/plugins/vault.py
-@@ -35,7 +35,7 @@ from ipalib import _, ngettext
- from ipapython import kerberos
- from ipapython.dn import DN
-
--if api.env.in_server:
-+if not api.env.validate_api:
- import pki.account
- import pki.key
-
---
-2.11.0
-
diff --git a/0002-platform-add-Arch-Linux-platform.patch b/0002-platform-add-Arch-Linux-platform.patch
new file mode 100644
index 000000000000..420baecf153d
--- /dev/null
+++ b/0002-platform-add-Arch-Linux-platform.patch
@@ -0,0 +1,200 @@
+From 7af1f4b3c8d0130f6c6d61765d8396b2e8b7a508 Mon Sep 17 00:00:00 2001
+From: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
+Date: Wed, 16 Apr 2014 19:31:08 -0400
+Subject: [PATCH 2/2] platform: add Arch Linux platform
+
+This patch has been adapted from the patches provided with freeipa package
+in the Arch User Repository (AUR).
+
+Signed-off-by: Jan Cholasta <jcholast@redhat.com>
+---
+ client/man/ipa-client-automount.1 | 4 ++--
+ client/man/ipa-client-install.1 | 4 ++--
+ ipaplatform/arch/__init__.py | 3 +++
+ ipaplatform/arch/constants.py | 12 ++++++++++++
+ ipaplatform/arch/paths.py | 22 ++++++++++++++++++++++
+ ipaplatform/arch/services.py | 30 ++++++++++++++++++++++++++++++
+ ipaplatform/arch/tasks.py | 19 +++++++++++++++++++
+ ipaplatform/setup.py | 1 +
+ 8 files changed, 91 insertions(+), 4 deletions(-)
+ create mode 100644 ipaplatform/arch/__init__.py
+ create mode 100644 ipaplatform/arch/constants.py
+ create mode 100644 ipaplatform/arch/paths.py
+ create mode 100644 ipaplatform/arch/services.py
+ create mode 100644 ipaplatform/arch/tasks.py
+
+diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
+index 8b9989dec..2399250b1 100644
+--- a/client/man/ipa-client-automount.1
++++ b/client/man/ipa-client-automount.1
+@@ -29,7 +29,7 @@ The automount configuration consists of three files:
+ .IP o
+ /etc/nsswitch.conf
+ .IP o
+-/etc/sysconfig/autofs
++/etc/conf.d/autofs
+ .IP o
+ /etc/autofs_ldap_auth.conf
+
+@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default):
+ .TP
+ Files that will be configured when using the ldap automount client:
+
+-/etc/sysconfig/autofs
++/etc/conf.d/autofs
+
+ /etc/autofs_ldap_auth.conf
+
+diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
+index 319952cb6..d01ccec64 100644
+--- a/client/man/ipa-client-install.1
++++ b/client/man/ipa-client-install.1
+@@ -250,7 +250,7 @@ Files replaced if NTP is enabled:
+
+ /etc/ntp.conf
+ .br
+-/etc/sysconfig/ntpd
++/etc/conf.d/ntpd.conf
+ .br
+ /etc/ntp/step\-tickers
+ .TP
+@@ -272,7 +272,7 @@ Files updated, existing content is maintained:
+ .br
+ /etc/krb5.keytab
+ .br
+-/etc/sysconfig/network
++/etc/hostname
+ .SH "EXIT STATUS"
+ 0 if the installation was successful
+
+diff --git a/ipaplatform/arch/__init__.py b/ipaplatform/arch/__init__.py
+new file mode 100644
+index 000000000..9da42e7b4
+--- /dev/null
++++ b/ipaplatform/arch/__init__.py
+@@ -0,0 +1,3 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
+diff --git a/ipaplatform/arch/constants.py b/ipaplatform/arch/constants.py
+new file mode 100644
+index 000000000..b4857aa7c
+--- /dev/null
++++ b/ipaplatform/arch/constants.py
+@@ -0,0 +1,12 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat.constants import RedHatConstantsNamespace
++
++
++class ArchConstantsNamespace(RedHatConstantsNamespace):
++ pass
++
++
++constants = ArchConstantsNamespace()
+diff --git a/ipaplatform/arch/paths.py b/ipaplatform/arch/paths.py
+new file mode 100644
+index 000000000..27721cf2f
+--- /dev/null
++++ b/ipaplatform/arch/paths.py
+@@ -0,0 +1,22 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat.paths import RedHatPathNamespace
++
++
++class ArchPathNamespace(RedHatPathNamespace):
++ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf"
++ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
++ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf"
++ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf"
++ SYSCONFIG_AUTOFS = "/etc/default/autofs"
++ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = (
++ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit")
++ DOGTAG_IPA_RENEW_AGENT_SUBMIT = (
++ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit")
++ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard"
++ LIB64_FIREFOX = "/usr/lib/firefox"
++
++
++paths = ArchPathNamespace()
+diff --git a/ipaplatform/arch/services.py b/ipaplatform/arch/services.py
+new file mode 100644
+index 000000000..4ddfb53c9
+--- /dev/null
++++ b/ipaplatform/arch/services.py
+@@ -0,0 +1,30 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat import services as redhat_services
++
++arch_system_units = dict(redhat_services.redhat_system_units)
++arch_system_units['messagebus'] = 'dbus.service'
++arch_system_units['rpcgssd'] = 'rpc-gssd.service'
++arch_system_units['rpcidmapd'] = 'rpc-idmapd.service'
++
++
++class ArchService(redhat_services.RedHatService):
++ system_units = arch_system_units
++
++
++def arch_service_class_factory(name, api=None):
++ if name in {'messagebus', 'rpcgssd', 'rpcidmapd'}:
++ return ArchService(name, api)
++ return redhat_services.redhat_service_class_factory(name, api)
++
++
++class ArchServices(redhat_services.RedHatServices):
++ def service_class_factory(self, name, api=None):
++ return arch_service_class_factory(name, api)
++
++
++timedate_services = redhat_services.timedate_services
++service = arch_service_class_factory
++knownservices = ArchServices()
+diff --git a/ipaplatform/arch/tasks.py b/ipaplatform/arch/tasks.py
+new file mode 100644
+index 000000000..58b837d79
+--- /dev/null
++++ b/ipaplatform/arch/tasks.py
+@@ -0,0 +1,19 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.arch.paths import paths
++from ipaplatform.redhat.tasks import RedHatTaskNamespace
++
++
++class ArchTaskNamespace(RedHatTaskNamespace):
++ def restore_network_configuration(self, fstore, statestore):
++ filepath = paths.ETC_HOSTNAME
++ if fstore.has_file(filepath):
++ fstore.restore_file(filepath)
++
++ def is_fips_enabled(self):
++ return False
++
++
++tasks = ArchTaskNamespace()
+diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
+index 501e2bc56..b47875164 100644
+--- a/ipaplatform/setup.py
++++ b/ipaplatform/setup.py
+@@ -34,6 +34,7 @@ if __name__ == '__main__':
+ package_dir={'ipaplatform': ''},
+ packages=[
+ "ipaplatform",
++ "ipaplatform.arch",
+ "ipaplatform.base",
+ "ipaplatform.debian",
+ "ipaplatform.fedora",
+--
+2.13.3
+
diff --git a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
deleted file mode 100644
index 6210e954f134..000000000000
--- a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 016245420bfc0a344ddc220cef449e732f8c6a06 Mon Sep 17 00:00:00 2001
-From: Jan Cholasta <jcholast@redhat.com>
-Date: Tue, 2 Aug 2016 13:49:36 +0200
-Subject: [PATCH] client install: do not assume /etc/krb5.conf.d exists
-
----
- client/ipa-client-install | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/client/ipa-client-install b/client/ipa-client-install
-index 74d5d8aae66877dfee9436227bd6c47b7f0fb204..0bbfdab7701c7a6200d087c06d1bdc0559c4433c 100755
---- a/client/ipa-client-install
-+++ b/client/ipa-client-install
-@@ -1076,8 +1076,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
- krbconf.setIndent((""," "," "))
-
- opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
-- {'name':'empty', 'type':'empty'},
-- {'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}]
-+ {'name':'empty', 'type':'empty'}]
-+
-+ if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
-+ opts.append({'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '})
-
- # SSSD include dir
- if options.sssd:
---
-2.11.0
-
diff --git a/PKGBUILD b/PKGBUILD
index f9be89ef0b0f..2fa59b9de08c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,145 +9,185 @@ pkgname=(python-ipalib
freeipa-common
freeipa-client-common
freeipa-client)
-pkgver=4.4.3
+pkgver=4.5.3
pkgrel=1
pkgdesc='The Identity, Policy and Audit system'
arch=('i686' 'x86_64')
url='http://www.freeipa.org/'
license=('GPL3')
-makedepends=('nspr'
- 'nss'
- 'openssl'
- 'openldap'
- 'krb5>=1.13'
- 'libutil-linux'
- 'curl>7.21.7'
+makedepends=('openldap'
+ 'krb5>=1.15.1'
'xmlrpc-c>=1.27.4'
'popt'
+ 'gettext'
'python'
+ 'python-setuptools'
'python2'
- 'python2-ldap'
'python2-setuptools'
+ 'nspr'
+ 'nss'
+ 'openssl'
+ 'ding-libs'
+ 'libsasl'
+ 'python2-ldap'
'python2-nss'
- 'python2-cryptography>=0.9'
- 'python2-netaddr'
- 'python2-gssapi>=1.1.2'
- 'python2-memcached'
- 'sssd>=1.14.0'
- 'python2-lxml'
- 'python2-pyasn1>=0.0.9a'
- 'python2-qrcode'
- 'python2-dnspython>=1.11.1'
- 'systemd'
- 'libunistring'
- 'python2-yubico>=1.2.3'
+ 'python2-netaddr>=0.7.16'
+ 'python2-pyasn1'
+ 'python2-pyasn1-modules'
+ 'python2-dnspython'
'python2-six'
- 'ding-libs>=0.5.0'
- 'python2-dbus'
- 'python2-netifaces')
-source=("http://freeipa.org/downloads/src/freeipa-$pkgver.tar.gz"
- 0001-platform-add-Arch-Linux-platform.patch
- 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
- 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch)
-sha256sums=('7ab844e16ba23dff9c71d47f59f105a8b2fdb6c407a56326c32528e8e7bb0773'
- '73bff9f3677b98c09ff45dd8e2aae7080e0f93218956b978d07346005dab7b6b'
- 'e797910b18f7ed3063a9a454b261960fda2ab133f79ee070bee16e4745489d03'
- 'bc095e230652a8b421bfd1adb546aa4e720bfe8d15f6a9d6872eccac79b3dcbc')
+ 'sssd>=1.13.0'
+ 'python2-cffi'
+ 'python-jinja'
+ 'python-pyasn1-modules'
+ 'python2-jinja')
+options=(emptydirs)
+source=("https://releases.pagure.org/freeipa/freeipa-${pkgver}.tar.gz"
+ 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch
+ 0002-platform-add-Arch-Linux-platform.patch
+ freeipa-client-update-sshd_config
+ freeipa-client-update-sshd_config.hook)
+sha256sums=('94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b'
+ 'ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e'
+ 'f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369'
+ '9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d'
+ '1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d')
prepare() {
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- rm -rf ipaplatform/archlinux
+ rm -rf ipaplatform/arch
- patch -p1 <"$srcdir"/0001-platform-add-Arch-Linux-platform.patch
- patch -p1 <"$srcdir"/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
- patch -p1 <"$srcdir"/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
+ patch -p1 -i"$srcdir"/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch
+ patch -p1 -i"$srcdir"/0002-platform-add-Arch-Linux-platform.patch
+
+ # Workaround: We want to build Python things twice. To be sure we do not mess
+ # up something, do two separate builds in separate directories.
+ cp -r ../freeipa-${pkgver} ../freeipa-${pkgver}-python3
}
build() {
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- # Arch specific
export PYTHON=/usr/bin/python2
- mkdir -p _install
-
- export SUPPORTED_PLATFORM=archlinux
-
- # Force re-generate of platform support
- export IPA_VENDOR_VERSION_SUFFIX=-$pkgrel
- rm -f ipapython/version.py
- rm -f ipaplatform/services.py
- rm -f ipaplatform/tasks.py
- rm -f ipaplatform/paths.py
- rm -f ipaplatform/constants.py
- make version-update
- cd client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd ..
-
- make IPA_VERSION_IS_GIT_SNAPSHOT=no client
-
- make client-install DESTDIR="$PWD"/_install
-
- (cd ipalib && make PYTHON=/usr/bin/python3 IPA_VERSION_IS_GIT_SNAPSHOT=no DESTDIR=../_install install)
- (cd ipapython && make PYTHON=/usr/bin/python3 IPA_VERSION_IS_GIT_SNAPSHOT=no DESTDIR=../_install install)
- (cd ipaplatform && /usr/bin/python3 setup.py install --root ../_install)
- (cd ipaclient && /usr/bin/python3 setup.py install --root ../_install)
-
- # Switch shebang of /usr/bin/ipa
- # XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2
- # in any case
- sed -i -e'1s/python\(3\|$\)/python2/' _install/usr/bin/ipa
-
- mkdir -p _install/usr/share/ipa
-
- mkdir -p _install/etc/ipa/
- mkdir -p _install/etc/ipa/nssdb
- mkdir -p _install/var/lib/ipa-client/sysrestore
- mkdir -p _install/etc/bash_completion.d
- install -pm 644 contrib/completion/ipa.bash_completion _install/etc/bash_completion.d/ipa
+ # Workaround: make sure all shebangs are pointing to Python 2
+ # This should be solved properly using setuptools
+ # and this hack should be removed.
+ find \
+ ! -name '*.pyc' -a \
+ ! -name '*.pyo' -a \
+ -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+ -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python2|' {} \;
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --sbindir=/usr/bin \
+ --with-vendor-suffix=-arch-${pkgrel} \
+ --disable-server \
+ --without-ipatests \
+ --disable-pylint --without-jslint
+
+ make
+
+ pushd ../freeipa-${pkgver}-python3
+ export PYTHON=/usr/bin/python3
+ # Workaround: make sure all shebangs are pointing to Python 3
+ # This should be solved properly using setuptools
+ # and this hack should be removed.
+ find \
+ ! -name '*.pyc' -a \
+ ! -name '*.pyo' -a \
+ -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+ -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python3|' {} \;
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --sbindir=/usr/bin \
+ --with-vendor-suffix=-arch-${pkgrel} \
+ --disable-server \
+ --without-ipatests \
+ --disable-pylint --without-jslint
+ popd
+
+ mkdir -p ../install
+
+ # Please put as much logic as possible into make install. It allows:
+ # - easier porting to other distributions
+ # - rapid devel & install cycle using make install
+ # (instead of full RPM build and installation each time)
+ #
+ # All files and directories created by spec install should be marked as ghost.
+ # (These are typically configuration files created by IPA installer.)
+ # All other artifacts should be created by make install.
+ #
+ # Exception to this rule are test programs which where want to install
+ # Python2/3 versions at the same time so we need to rename them. Yuck.
+
+ # Python 3 installation needs to be done first. Subsequent Python 2 install
+ # will overwrite /usr/bin/ipa and other scripts with variants using
+ # python2 shebang.
+ pushd ../freeipa-${pkgver}-python3
+ (cd ipaclient && make install DESTDIR=../../install)
+ (cd ipalib && make install DESTDIR=../../install)
+ (cd ipaplatform && make install DESTDIR=../../install)
+ (cd ipapython && make install DESTDIR=../../install)
+ popd
+
+ # Python 2 installation
+ make install DESTDIR="$PWD"/../install
+
+ # remove files which are useful only for make uninstall
+ find ../install -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
+
+ /bin/touch ../install/etc/ipa/default.conf
+ /bin/touch ../install/etc/ipa/ca.crt
+
+ mkdir -p ../install/etc/ipa/
+ mkdir -p ../install/etc/ipa/nssdb
+ mkdir -p ../install/var/lib/ipa-client/pki
+ mkdir -p ../install/var/lib/ipa-client/sysrestore
}
package_python-ipalib() {
pkgdesc='Python libraries used by IPA'
arch=('any')
depends=("freeipa-common=$pkgver-$pkgrel"
- 'python-gssapi>=1.1.2'
+ 'python-gssapi>=1.2.0'
'gnupg'
'keyutils'
'python-nss>=0.16'
- 'python-cryptography>=0.9'
- 'python-lxml'
- 'python-netaddr'
+ 'python-cryptography>=1.4'
+ 'python-netaddr>=0.7.16'
'sssd'
'python-qrcode>=5.0.0'
'python-pyasn1'
+ 'python-pyasn1-modules'
'python-dateutil'
'python-yubico>=1.2.3'
'python-dbus'
'python-setuptools'
'python-six'
'python-pyldap>=2.4.15'
- 'python-dnspython>=1.11.1'
+ 'python-dnspython>=1.15'
'python-netifaces>=0.10.4'
'python-pyusb')
provides=("python-ipapython=$pkgver-$pkgrel"
"python-ipaplatform=$pkgver-$pkgrel")
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/usr/lib/python3.*/site-packages/ipapython \
- _install/usr/lib/python3.*/site-packages/ipalib \
- _install/usr/lib/python3.*/site-packages/ipaplatform \
- _install/usr/lib/python3.*/site-packages/ipapython-*.egg-info \
- _install/usr/lib/python3.*/site-packages/ipalib-*.egg-info \
- _install/usr/lib/python3.*/site-packages/ipaplatform-*.egg-info
+ for _file in ../install/usr/lib/python3.*/site-packages/ipapython \
+ ../install/usr/lib/python3.*/site-packages/ipalib \
+ ../install/usr/lib/python3.*/site-packages/ipaplatform \
+ ../install/usr/lib/python3.*/site-packages/ipapython-*.egg-info \
+ ../install/usr/lib/python3.*/site-packages/ipalib-*.egg-info \
+ ../install/usr/lib/python3.*/site-packages/ipaplatform-*.egg-info
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -157,20 +197,21 @@ package_python-ipaclient() {
depends=("freeipa-client-common=$pkgver-$pkgrel"
"freeipa-common=$pkgver-$pkgrel"
"python-ipalib=$pkgver-$pkgrel"
- 'python-dnspython>=1.11.1')
+ 'python-dnspython>=1.15'
+ 'python-jinja')
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/usr/lib/python3.*/site-packages/ipaclient \
- _install/usr/lib/python3.*/site-packages/ipaclient-*.egg-info
+ for _file in ../install/usr/lib/python3.*/site-packages/ipaclient \
+ ../install/usr/lib/python3.*/site-packages/ipaclient-*.egg-info
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -178,23 +219,25 @@ package_python2-ipalib() {
pkgdesc='Python libraries used by IPA'
arch=('any')
depends=("freeipa-common=$pkgver-$pkgrel"
- 'python2-gssapi>=1.1.2'
+ 'python2-gssapi>=1.2.0'
'gnupg'
'keyutils'
+ 'python2>=2.7.9'
'python2-nss>=0.16'
- 'python2-cryptography>=0.9'
- 'python2-lxml'
- 'python2-netaddr'
+ 'python2-cryptography>=1.4'
+ 'python2-netaddr>=0.7.16'
'sssd'
'python2-qrcode>=5.0.0'
'python2-pyasn1'
+ 'python2-pyasn1-modules'
'python2-dateutil'
'python2-yubico>=1.2.3'
'python2-dbus'
'python2-setuptools'
'python2-six'
'python2-ldap>=2.4.15'
- 'python2-dnspython>=1.11.1'
+ 'python2-dnspython>=1.15'
+ 'python2-enum34'
'python2-netifaces>=0.10.4'
'python2-pyusb')
provides=("python2-ipapython=$pkgver-$pkgrel"
@@ -202,22 +245,22 @@ package_python2-ipalib() {
conflicts=('freeipa-python')
replaces=('freeipa-python')
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/usr/lib/python2.*/site-packages/ipapython \
- _install/usr/lib/python2.*/site-packages/ipalib \
- _install/usr/lib/python2.*/site-packages/ipaplatform \
- _install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \
- _install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \
- _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info
+ for _file in ../install/usr/lib/python2.*/site-packages/ipapython \
+ ../install/usr/lib/python2.*/site-packages/ipalib \
+ ../install/usr/lib/python2.*/site-packages/ipaplatform \
+ ../install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \
+ ../install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \
+ ../install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -227,20 +270,21 @@ package_python2-ipaclient() {
depends=("freeipa-client-common=$pkgver-$pkgrel"
"freeipa-common=$pkgver-$pkgrel"
"python2-ipalib=$pkgver-$pkgrel"
- 'python2-dnspython>=1.11.1')
+ 'python2-dnspython>=1.15'
+ 'python2-jinja')
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/usr/lib/python2.*/site-packages/ipaclient \
- _install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info
+ for _file in ../install/usr/lib/python2.*/site-packages/ipaclient \
+ ../install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -250,17 +294,17 @@ package_freeipa-common() {
conflicts=('freeipa-python')
replaces=('freeipa-python')
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/usr/share/locale/*/*/ipa.mo
+ for _file in ../install/usr/share/locale/*/*/ipa.mo
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -268,20 +312,20 @@ package_freeipa-client-common() {
pkgdesc='Common files used by IPA client'
arch=('any')
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/etc/ipa/nssdb \
- _install/usr/share/ipa \
- _install/var/lib/ipa-client/sysrestore \
- _install/usr/share/man/man5/default.conf.5.gz
+ for _file in ../install/etc/ipa/nssdb \
+ ../install/var/lib/ipa-client/pki \
+ ../install/var/lib/ipa-client/sysrestore \
+ ../install/usr/share/man/man5/default.conf.5*
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
@@ -304,7 +348,7 @@ package_freeipa-client() {
'nss'
'bind-tools'
'oddjob'
- 'python2-gssapi>=1.1.2'
+ 'python2-gssapi>=1.2.0'
'autofs'
'nfsidmap'
'nfs-utils')
@@ -312,30 +356,35 @@ package_freeipa-client() {
replaces=('freeipa-admintools')
install=freeipa-client.install
- cd "${pkgbase}-${pkgver}"
+ cd freeipa-${pkgver}
+
+ install -D -t"$pkgdir"/usr/share/libalpm/scripts \
+ "$srcdir"/freeipa-client-update-sshd_config
+ install -D -m644 -t"$pkgdir"/usr/share/libalpm/hooks \
+ "$srcdir"/freeipa-client-update-sshd_config.hook \
- install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README.md \
Contributors.txt
local _file
- for _file in _install/etc/bash_completion.d \
- _install/usr/bin/ipa \
- _install/usr/bin/ipa-client-install \
- _install/usr/bin/ipa-client-automount \
- _install/usr/bin/ipa-certupdate \
- _install/usr/bin/ipa-getkeytab \
- _install/usr/bin/ipa-rmkeytab \
- _install/usr/bin/ipa-join \
- _install/usr/share/man/man1/ipa.1 \
- _install/usr/share/man/man1/ipa-getkeytab.1.gz \
- _install/usr/share/man/man1/ipa-rmkeytab.1.gz \
- _install/usr/share/man/man1/ipa-client-install.1.gz \
- _install/usr/share/man/man1/ipa-client-automount.1.gz \
- _install/usr/share/man/man1/ipa-certupdate.1.gz \
- _install/usr/share/man/man1/ipa-join.1.gz
+ for _file in ../install/etc/bash_completion.d \
+ ../install/usr/bin/ipa \
+ ../install/usr/bin/ipa-client-install \
+ ../install/usr/bin/ipa-client-automount \
+ ../install/usr/bin/ipa-certupdate \
+ ../install/usr/bin/ipa-getkeytab \
+ ../install/usr/bin/ipa-rmkeytab \
+ ../install/usr/bin/ipa-join \
+ ../install/usr/share/man/man1/ipa.1 \
+ ../install/usr/share/man/man1/ipa-getkeytab.1* \
+ ../install/usr/share/man/man1/ipa-rmkeytab.1* \
+ ../install/usr/share/man/man1/ipa-client-install.1* \
+ ../install/usr/share/man/man1/ipa-client-automount.1* \
+ ../install/usr/share/man/man1/ipa-certupdate.1* \
+ ../install/usr/share/man/man1/ipa-join.1*
do
- _file="${_file#_install/}"
+ _file="${_file#../install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
- mv _install/"$_file" "$pkgdir"/"$_file"
+ mv ../install/"$_file" "$pkgdir"/"$_file"
done
}
diff --git a/freeipa-client-update-sshd_config b/freeipa-client-update-sshd_config
new file mode 100755
index 000000000000..94cb255ca40e
--- /dev/null
+++ b/freeipa-client-update-sshd_config
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+ sed -r '
+ /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+ ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+ if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ fi
+
+ mv -Z/etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ chmod 644 /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+fi
diff --git a/freeipa-client-update-sshd_config.hook b/freeipa-client-update-sshd_config.hook
new file mode 100644
index 000000000000..410d6f5334fb
--- /dev/null
+++ b/freeipa-client-update-sshd_config.hook
@@ -0,0 +1,9 @@
+[Trigger]
+Operation=Install
+Operation=Upgrade
+Type=Package
+Target=openssh
+
+[Action]
+When=PostTransaction
+Exec=/usr/share/libalpm/scripts/freeipa-client-update-sshd_config
diff --git a/freeipa-client.install b/freeipa-client.install
index d2e6d3dc1c8c..5778c35f0615 100644
--- a/freeipa-client.install
+++ b/freeipa-client.install
@@ -11,50 +11,25 @@ post_upgrade() {
fi
fi
- if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
- if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
- sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
- mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
+ if [ $restore -ge 2 ]; then
+ if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
+ sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
+ mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
+ cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
+ cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
+ fi
+ fi
+
+ if [ -f '/etc/conf.d/ntpd.conf' -a $restore -ge 2 ]; then
+ if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/conf.d/ntpd.conf 2>/dev/null; then
+ sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/conf.d/ntpd.conf >/etc/conf.d/ntpd.conf.ipanew
+ mv -Z /etc/conf.d/ntpd.conf.ipanew /etc/conf.d/ntpd.conf
/bin/systemctl condrestart ntpd.service 2>&1 || :
fi
fi
if [ $restore -ge 2 ]; then
- python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
- fi
-
- # Has the client been configured?
- restore=0
- test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
-
- if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
- if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
- sed -r '
- /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
- ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
-
- if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
- sed -ri '
- s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
- s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
- ' /etc/ssh/sshd_config.ipanew
- elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
- sed -ri '
- s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
- s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
- ' /etc/ssh/sshd_config.ipanew
- elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
- sed -ri '
- s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
- s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
- ' /etc/ssh/sshd_config.ipanew
- fi
-
- mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
- chmod 600 /etc/ssh/sshd_config
-
- /bin/systemctl condrestart sshd.service 2>&1 || :
- fi
+ python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
}