diff options
-rw-r--r-- | .SRCINFO | 45 | ||||
-rw-r--r-- | 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch | 196 | ||||
-rw-r--r-- | 0001-platform-add-Arch-Linux-platform.patch (renamed from 0002-platform-add-Arch-Linux-platform.patch) | 0 | ||||
-rw-r--r-- | PKGBUILD | 24 |
4 files changed, 33 insertions, 232 deletions
@@ -1,6 +1,6 @@ pkgbase = freeipa pkgdesc = The Identity, Policy and Audit system - pkgver = 4.5.3 + pkgver = 4.6.3 pkgrel = 1 url = http://www.freeipa.org/ arch = i686 @@ -33,13 +33,11 @@ pkgbase = freeipa makedepends = python-pyasn1-modules makedepends = python2-jinja options = emptydirs - source = https://releases.pagure.org/freeipa/freeipa-4.5.3.tar.gz - source = 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch - source = 0002-platform-add-Arch-Linux-platform.patch + source = https://releases.pagure.org/freeipa/freeipa-4.6.3.tar.gz + source = 0001-platform-add-Arch-Linux-platform.patch source = freeipa-client-update-sshd_config source = freeipa-client-update-sshd_config.hook - sha256sums = 94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b - sha256sums = ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e + sha256sums = 9ee590baf2fd91c082de71e39fb178443c96c70f9e2c0037faa361e16d067c75 sha256sums = f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369 sha256sums = 9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d sha256sums = 1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d @@ -47,7 +45,7 @@ pkgbase = freeipa pkgname = python-ipalib pkgdesc = Python libraries used by IPA arch = any - depends = freeipa-common=4.5.3-1 + depends = freeipa-common=4.6.3-1 depends = python-gssapi>=1.2.0 depends = gnupg depends = keyutils @@ -63,26 +61,26 @@ pkgname = python-ipalib depends = python-dbus depends = python-setuptools depends = python-six - depends = python-pyldap>=2.4.15 + depends = python-ldap depends = python-dnspython>=1.15 depends = python-netifaces>=0.10.4 depends = python-pyusb - provides = python-ipapython=4.5.3-1 - provides = python-ipaplatform=4.5.3-1 + provides = python-ipapython=4.6.3-1 + provides = python-ipaplatform=4.6.3-1 pkgname = python-ipaclient pkgdesc = Python libraries used by IPA client arch = any - depends = freeipa-client-common=4.5.3-1 - depends = freeipa-common=4.5.3-1 - depends = python-ipalib=4.5.3-1 + depends = freeipa-client-common=4.6.3-1 + depends = freeipa-common=4.6.3-1 + depends = python-ipalib=4.6.3-1 depends = python-dnspython>=1.15 depends = python-jinja pkgname = python2-ipalib pkgdesc = Python libraries used by IPA arch = any - depends = freeipa-common=4.5.3-1 + depends = freeipa-common=4.6.3-1 depends = python2-gssapi>=1.2.0 depends = gnupg depends = keyutils @@ -99,22 +97,22 @@ pkgname = python2-ipalib depends = python2-dbus depends = python2-setuptools depends = python2-six - depends = python2-ldap>=2.4.15 + depends = python2-ldap depends = python2-dnspython>=1.15 depends = python2-enum34 depends = python2-netifaces>=0.10.4 depends = python2-pyusb - provides = python2-ipapython=4.5.3-1 - provides = python2-ipaplatform=4.5.3-1 + provides = python2-ipapython=4.6.3-1 + provides = python2-ipaplatform=4.6.3-1 conflicts = freeipa-python replaces = freeipa-python pkgname = python2-ipaclient pkgdesc = Python libraries used by IPA client arch = any - depends = freeipa-client-common=4.5.3-1 - depends = freeipa-common=4.5.3-1 - depends = python2-ipalib=4.5.3-1 + depends = freeipa-client-common=4.6.3-1 + depends = freeipa-common=4.6.3-1 + depends = python2-ipalib=4.6.3-1 depends = python2-dnspython>=1.15 depends = python2-jinja @@ -131,10 +129,11 @@ pkgname = freeipa-client-common pkgname = freeipa-client pkgdesc = IPA authentication for use on clients install = freeipa-client.install - depends = freeipa-client-common=4.5.3-1 - depends = freeipa-common=4.5.3-1 - depends = python2-ipaclient=4.5.3-1 + depends = freeipa-client-common=4.6.3-1 + depends = freeipa-common=4.6.3-1 + depends = python2-ipaclient=4.6.3-1 depends = python2-ldap + depends = python-augeas depends = cyrus-sasl-gssapi depends = ntp depends = krb5 diff --git a/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch deleted file mode 100644 index 411f30112082..000000000000 --- a/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch +++ /dev/null @@ -1,196 +0,0 @@ -From c2a9ff7a7d5384bdb036b8679b71527f5ff64bbd Mon Sep 17 00:00:00 2001 -From: Jan Cholasta <jcholast@redhat.com> -Date: Mon, 20 Mar 2017 06:56:53 +0000 -Subject: [PATCH 1/2] install: do not assume /etc/krb5.conf.d exists - -Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if -/etc/krb5.conf.d exists. - -Do not rely on /etc/krb5.conf.d to enable the certauth plugin. - -This fixes install on platforms which do not have /etc/krb5.conf.d. - -https://pagure.io/freeipa/issue/6589 - -Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> -Reviewed-By: Christian Heimes <cheimes@redhat.com> -Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> ---- - daemons/ipa-kdb/Makefile.am | 6 ------ - daemons/ipa-kdb/ipa-certauth | 5 ----- - freeipa.spec.in | 1 - - install/share/krb5.conf.template | 7 ++++++- - ipaclient/install/client.py | 16 ++++++++++------ - ipaserver/install/krbinstance.py | 8 +++++++- - ipaserver/install/server/upgrade.py | 33 +++++++++++++++++++++++++++++++++ - 8 files changed, 56 insertions(+), 21 deletions(-) - delete mode 100644 daemons/ipa-kdb/ipa-certauth - -diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am -index 259bc3b20..5669349af 100644 ---- a/daemons/ipa-kdb/Makefile.am -+++ b/daemons/ipa-kdb/Makefile.am -@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports - - if BUILD_IPA_CERTAUTH_PLUGIN - ipadb_la_SOURCES += ipa_kdb_certauth.c -- -- --krb5confdir = $(sysconfdir)/krb5.conf.d --krb5conf_DATA = ipa-certauth --else --dist_noinst_DATA += ipa-certauth - endif - - ipadb_la_LDFLAGS = \ -diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth -deleted file mode 100644 -index 6fde08284..000000000 ---- a/daemons/ipa-kdb/ipa-certauth -+++ /dev/null -@@ -1,5 +0,0 @@ --[plugins] -- certauth = { -- module = ipakdb:kdb/ipadb.so -- enable_only = ipakdb -- } -diff --git a/freeipa.spec.in b/freeipa.spec.in -index a8b5ce81f..80f302130 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -1207,7 +1207,6 @@ fi - %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck - %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf - %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf --%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth - %dir %{_libexecdir}/ipa/certmonger - %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* - # NOTE: systemd specific section -diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template -index 1f18ff90d..e3420e537 100644 ---- a/install/share/krb5.conf.template -+++ b/install/share/krb5.conf.template -@@ -1,4 +1,4 @@ --includedir /etc/krb5.conf.d/ -+$INCLUDES - includedir /var/lib/sss/pubconf/krb5.include.d/ - - [logging] -@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS - db_library = ipadb.so - } - -+[plugins] -+ certauth = { -+ module = ipakdb:kdb/ipadb.so -+ enable_only = ipakdb -+ } -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index c88061320..2d64a4494 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -640,14 +640,18 @@ def configure_krb5_conf( - 'value': 'File modified by ipa-client-install' - }, - krbconf.emptyLine(), -- { -- 'name': 'includedir', -- 'type': 'option', -- 'value': paths.COMMON_KRB5_CONF_DIR, -- 'delim': ' ' -- } - ] - -+ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): -+ opts.extend([ -+ { -+ 'name': 'includedir', -+ 'type': 'option', -+ 'value': paths.COMMON_KRB5_CONF_DIR, -+ 'delim': ' ' -+ } -+ ]) -+ - # SSSD include dir - if configure_sssd: - opts.extend([ -diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py -index 6b51e65d1..f0875fbc9 100644 ---- a/ipaserver/install/krbinstance.py -+++ b/ipaserver/install/krbinstance.py -@@ -249,6 +249,11 @@ class KrbInstance(service.Service): - root_logger.critical("krb5kdc service failed to start") - - def __setup_sub_dict(self): -+ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): -+ includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR) -+ else: -+ includes = '' -+ - self.sub_dict = dict(FQDN=self.fqdn, - IP=self.ip, - PASSWORD=self.kdc_password, -@@ -264,7 +269,8 @@ class KrbInstance(service.Service): - KDC_KEY=paths.KDC_KEY, - CACERT_PEM=paths.CACERT_PEM, - KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, -- CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) -+ CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM, -+ INCLUDES=includes) - - # IPA server/KDC is not a subdomain of default domain - # Proper domain-realm mapping needs to be specified -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index 732776f2c..9c28c22fc 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1549,6 +1549,38 @@ def setup_pkinit(krb): - aug.close() - - -+def enable_certauth(krb): -+ root_logger.info("[Enable certauth]") -+ -+ aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, -+ loadpath=paths.USR_SHARE_IPA_DIR) -+ try: -+ aug.transform('IPAKrb5', paths.KRB5_CONF) -+ aug.load() -+ -+ path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF) -+ modified = False -+ -+ if not aug.match(path): -+ aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so') -+ aug.set('{}/enable_only'.format(path), 'ipakdb') -+ modified = True -+ -+ if modified: -+ try: -+ aug.save() -+ except IOError: -+ for error_path in aug.match('/augeas//error'): -+ root_logger.error('augeas: %s', aug.get(error_path)) -+ raise -+ -+ if krb.is_running(): -+ krb.stop() -+ krb.start() -+ finally: -+ aug.close() -+ -+ - def disable_httpd_system_trust(http): - ca_certs = [] - -@@ -1842,6 +1874,7 @@ def upgrade_configuration(): - CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) - krb.add_anonymous_principal() - setup_pkinit(krb) -+ enable_certauth(krb) - - if not ds_running: - ds.stop(ds_serverid) --- -2.13.3 - diff --git a/0002-platform-add-Arch-Linux-platform.patch b/0001-platform-add-Arch-Linux-platform.patch index 420baecf153d..420baecf153d 100644 --- a/0002-platform-add-Arch-Linux-platform.patch +++ b/0001-platform-add-Arch-Linux-platform.patch @@ -9,7 +9,7 @@ pkgname=(python-ipalib freeipa-common freeipa-client-common freeipa-client) -pkgver=4.5.3 +pkgver=4.6.3 pkgrel=1 pkgdesc='The Identity, Policy and Audit system' arch=('i686' 'x86_64') @@ -43,12 +43,10 @@ makedepends=('openldap' 'python2-jinja') options=(emptydirs) source=("https://releases.pagure.org/freeipa/freeipa-${pkgver}.tar.gz" - 0001-install-do-not-assume-etc-krb5.conf.d-exists.patch - 0002-platform-add-Arch-Linux-platform.patch + 0001-platform-add-Arch-Linux-platform.patch freeipa-client-update-sshd_config freeipa-client-update-sshd_config.hook) -sha256sums=('94c18793cd4f0b008879afabb69ac52f2d9abad71d8ff3c89260ab5af116b81b' - 'ffdd4de12728fca3732e0782352a046d6317508c68eca0cc048c80cdb9cc4b3e' +sha256sums=('9ee590baf2fd91c082de71e39fb178443c96c70f9e2c0037faa361e16d067c75' 'f30985cdc09070da6c935bc8e3b1f0d870f91766bf6ecdef41815386beccb369' '9fbac49fa4bc23afe0c4d575ea2795f1da435399289dbd04c5a3ac47580e2a0d' '1e73f394d276357dcd578df7a349b1f381c9edc7b1c053ecf65f7a9255c0490d') @@ -58,8 +56,7 @@ prepare() { rm -rf ipaplatform/arch - patch -p1 -i"$srcdir"/0001-install-do-not-assume-etc-krb5.conf.d-exists.patch - patch -p1 -i"$srcdir"/0002-platform-add-Arch-Linux-platform.patch + patch -p1 -i"$srcdir"/0001-platform-add-Arch-Linux-platform.patch # Workaround: We want to build Python things twice. To be sure we do not mess # up something, do two separate builds in separate directories. @@ -137,13 +134,13 @@ build() { # remove files which are useful only for make uninstall find ../install -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; - /bin/touch ../install/etc/ipa/default.conf - /bin/touch ../install/etc/ipa/ca.crt - - mkdir -p ../install/etc/ipa/ + mkdir -p ../install/etc/ipa mkdir -p ../install/etc/ipa/nssdb mkdir -p ../install/var/lib/ipa-client/pki mkdir -p ../install/var/lib/ipa-client/sysrestore + + touch ../install/etc/ipa/default.conf + touch ../install/etc/ipa/ca.crt } package_python-ipalib() { @@ -165,7 +162,7 @@ package_python-ipalib() { 'python-dbus' 'python-setuptools' 'python-six' - 'python-pyldap>=2.4.15' + 'python-ldap' 'python-dnspython>=1.15' 'python-netifaces>=0.10.4' 'python-pyusb') @@ -235,7 +232,7 @@ package_python2-ipalib() { 'python2-dbus' 'python2-setuptools' 'python2-six' - 'python2-ldap>=2.4.15' + 'python2-ldap' 'python2-dnspython>=1.15' 'python2-enum34' 'python2-netifaces>=0.10.4' @@ -336,6 +333,7 @@ package_freeipa-client() { "freeipa-common=$pkgver-$pkgrel" "python2-ipaclient=$pkgver-$pkgrel" 'python2-ldap' + 'python-augeas' 'cyrus-sasl-gssapi' 'ntp' 'krb5' |