websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c86f4cfde4 3bfaa6e020
commit 2c5b897d9d
2165 changed files with 318405 additions and 1669785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
debian/patches/add-a-clear-openssl-exception.diff vendored Normal file
View File

@@ -0,0 +1,49 @@
commit d762f61d25508c1856c0fa7dc0ea1e032671542b
Author: Simo Sorce <simo@redhat.com>
Date: Fri Feb 20 08:46:40 2015 -0500
Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
diff --git a/COPYING.openssl b/COPYING.openssl
new file mode 100644
index 0000000..8a92460
--- /dev/null
+++ b/COPYING.openssl
@@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index 8ffa666..c6abd4b 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -18,6 +18,10 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * This file includes an "OpenSSL license exception", see the
+ * COPYING.openssl file for details.
+ *
*/
#include <stdbool.h>

542
debian/patches/add-debian-platform.diff vendored Normal file
View File

@@ -0,0 +1,542 @@
commit b076743f2cdd3a3cb9e8d0e8be7be8c90160fc21
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Fri Mar 1 12:21:00 2013 +0200
add debian platform support
--- /dev/null
+++ b/ipaplatform/debian/__init__.py
@@ -0,0 +1,22 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This module contains Debian specific platform files.
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,70 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This Debian base platform module exports default filesystem paths as common
+in Debian-based systems.
+"""
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+
+
+class DebianPathNamespace(BasePathNamespace):
+ ETC_HTTPD_DIR = "/etc/apache2"
+ HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+ HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+ HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+ HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+ IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+ HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
+ ETC_SYSCONFIG_DIR = "/etc/default"
+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
+ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
+ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
+ SYSCONFIG_PKI = "/etc/dogtag/"
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
+ SBIN_SERVICE = "/usr/sbin/service"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
+ HTTPD = "/usr/sbin/apache2ctl"
+ SETUP_DS_PL = "/usr/sbin/setup-ds"
+ VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+ VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+ CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
+ KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
+ VAR_LOG_HTTPD_DIR = "/var/log/apache2"
+ GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
+
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
@@ -0,0 +1,184 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Contains Debian-specific service class implementations.
+"""
+
+import time
+
+from ipaplatform.tasks import tasks
+from ipaplatform.base import services as base_services
+from ipaplatform.redhat import services as redhat_services
+from ipapython import ipautil
+from ipapython.ipa_log_manager import root_logger
+from ipalib import api
+from ipaplatform.paths import paths
+
+# Mappings from service names as FreeIPA code references to these services
+# to their actual systemd service names
+debian_system_units = redhat_services.redhat_system_units
+
+debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
+debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
+
+# Service classes that implement Debian-specific behaviour
+
+class DebianService(redhat_services.RedHatService):
+ system_units = debian_system_units
+
+
+class DebianSysvService(base_services.PlatformService):
+ def __wait_for_open_ports(self, instance_name=""):
+ """
+ If this is a service we need to wait for do so.
+ """
+ ports = None
+ if instance_name in base_services.wellknownports:
+ ports = base_services.wellknownports[instance_name]
+ else:
+ if self.service_name in base_services.wellknownports:
+ ports = base_services.wellknownports[self.service_name]
+ if ports:
+ ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
+ def stop(self, instance_name='', capture_output=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "stop",
+ instance_name], capture_output=capture_output)
+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
+ update_service_list = True
+ else:
+ update_service_list = False
+ super(DebianSysvService, self).stop(instance_name)
+
+ def start(self, instance_name='', capture_output=True, wait=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
+ instance_name], capture_output=capture_output)
+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
+ update_service_list = True
+ else:
+ update_service_list = False
+ if wait and self.is_running(instance_name):
+ self.__wait_for_open_ports(instance_name)
+ super(DebianSysvService, self).start(instance_name)
+
+ def restart(self, instance_name='', capture_output=True, wait=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
+ instance_name], capture_output=capture_output)
+ if wait and self.is_running(instance_name):
+ self.__wait_for_open_ports(instance_name)
+
+ def is_running(self, instance_name=""):
+ ret = True
+ try:
+ (sout, serr, rcode) = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name])
+ if sout.find("NOT running") >= 0:
+ ret = False
+ if sout.find("stop") >= 0:
+ ret = False
+ except ipautil.CalledProcessError:
+ ret = False
+ return ret
+
+ def is_installed(self):
+ installed = True
+ try:
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "status"])
+ except ipautil.CalledProcessError, e:
+ if e.returncode == 1:
+ # service is not installed or there is other serious issue
+ installed = False
+ return installed
+
+ def is_enabled(self, instance_name=""):
+ # Services are always assumed to be enabled when installed
+ return True
+
+ def enable(self):
+ return True
+
+ def disable(self):
+ return True
+
+ def install(self):
+ return True
+
+ def remove(self):
+ return True
+
+ def tune_nofile_platform(self):
+ return True
+
+# For services which have no Debian counterpart
+class DebianNoService(base_services.PlatformService):
+ def restart(self):
+ return True
+
+ def disable(self):
+ return True
+
+
+class DebianSSHService(DebianSysvService):
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
+
+# Function that constructs proper Debian-specific server classes for services
+# of specified name
+
+def debian_service_class_factory(name):
+ if name == 'dirsrv':
+ return redhat_services.RedHatDirectoryService(name)
+ if name == 'domainname':
+ return DebianNoService(name)
+ if name == 'ipa':
+ return redhat_services.RedHatIPAService(name)
+ if name == 'httpd':
+ return DebianSysvService("apache2")
+ if name == 'kadmin':
+ return DebianSysvService("krb5-admin-server")
+ if name == 'krb5kdc':
+ return DebianSysvService("krb5-kdc")
+ if name == 'messagebus':
+ return DebianSysvService("dbus")
+ if name == 'named':
+ return DebianSysvService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'sshd':
+ return DebianSSHService(name)
+ return DebianService(name)
+
+
+# Magicdict containing DebianService instances.
+
+class DebianServices(base_services.KnownServices):
+ def __init__(self):
+ services = dict()
+ for s in base_services.wellknownservices:
+ services[s] = debian_service_class_factory(s)
+ # Call base class constructor. This will lock services to read-only
+ super(DebianServices, self).__init__(services)
+
+
+# Objects below are expected to be exported by platform module
+
+from ipaplatform.base.services import timedate_services
+service = debian_service_class_factory
+knownservices = DebianServices()
--- /dev/null
+++ b/ipaplatform/debian/tasks.py
@@ -0,0 +1,53 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This module contains default Debian-specific implementations of system tasks.
+"""
+
+from ipaplatform.paths import paths
+from ipaplatform.base.tasks import *
+from ipaplatform.redhat.tasks import RedHatTaskNamespace
+
+class DebianTaskNamespace(RedHatTaskNamespace):
+
+ def restore_pre_ipa_client_configuration(self, fstore, statestore,
+ was_sssd_installed,
+ was_sssd_configured):
+ return True
+
+ def set_nisdomain(self, nisdomain):
+ return True
+
+ def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
+ return True
+
+ def modify_pam_to_use_krb5(self, statestore):
+ return True
+
+ def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
+ return True
+
+ def remove_ca_certs_from_systemwide_ca_store(self):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ return True
+
+tasks = DebianTaskNamespace()
--- a/ipaplatform/setup.py.in
+++ b/ipaplatform/setup.py.in
@@ -67,6 +67,7 @@ def setup_package():
package_dir = {'ipaplatform': ''},
packages = ["ipaplatform",
"ipaplatform.base",
+ "ipaplatform.debian",
"ipaplatform.fedora",
"ipaplatform.redhat",
"ipaplatform.rhel"],
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -46,6 +46,8 @@ class NTPInstance(service.Service):
os = "fedora"
elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
os = "rhel"
+ elif ipautil.file_exists(paths.ETC_DEBIAN_VERSION):
+ os = "debian"
srv_vals = []
srv_vals.append("0.%s.pool.ntp.org" % os)
@@ -105,9 +107,9 @@ class NTPInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
for opt in needopts:
if sline.find(opt['val']) != -1:
opt['need'] = False
@@ -123,12 +125,12 @@ class NTPInstance(service.Service):
for line in lines:
if not done:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
fd.write(line)
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
(variable, opts) = sline.split('=', 1)
- fd.write('OPTIONS="%s %s"\n' % (opts, ' '.join(newopts)))
+ fd.write('NTPD_OPTS="%s %s"\n' % (opts, ' '.join(newopts)))
done = True
else:
fd.write(line)
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -247,9 +247,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -118,6 +118,7 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -204,14 +205,14 @@ class HTTPInstance(service.Service):
self.move_service(self.principal)
self.add_cert_to_service()
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='www-data', raiseonerr=False, env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@@ -260,11 +261,11 @@ class HTTPInstance(service.Service):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def __set_mod_nss_passwordfile(self):
- installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+ installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
- if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+ if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf-available/ipa-rewrite.conf\n</VirtualHost>') != 0:
print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
def __setup_ssl(self):
@@ -305,7 +306,7 @@ class HTTPInstance(service.Service):
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -400,6 +401,8 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
if not enabled is None and not enabled:
self.disable()
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -148,7 +148,7 @@ class ServerCertInstall(admintool.AdminT
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1130,7 +1130,7 @@ class CAInstance(service.Service):
os.chmod(self.ra_agent_db + "/key3.db", 0640)
os.chmod(self.ra_agent_db + "/secmod.db", 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -740,7 +740,7 @@ class CertDB(object):
f.close()
pwdfile.close()
# TODO: replace explicit uid by a platform-specific one
- self.set_perms(self.pwd_conf, uid="apache")
+ self.set_perms(self.pwd_conf, uid="www-data")
def find_root_cert(self, nickname):
"""
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -483,7 +483,7 @@ class BindInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
- reverse_zone, named_user="named", zonemgr=None,
+ reverse_zone, named_user="bind", zonemgr=None,
ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
@@ -874,7 +874,7 @@ class BindInstance(service.Service):
def __generate_rndc_key(self):
installutils.check_entropy()
- ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ ipautil.run(paths.GENERATE_RNDC_KEY)
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False, ca_configured=None):
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

12
debian/patches/create-sysconfig-ods.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -197,6 +197,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
+ # create the configfile, opendnssec-enforcer doesn't ship it
+ open(paths.SYSCONFIG_ODS, 'a').close()
+
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,

19
debian/patches/enable-mod-nss-during-setup.diff vendored
View File

@@ -1,19 +0,0 @@
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -179,6 +179,7 @@ class HTTPInstance(service.Service):
if not self.is_kdcproxy_configured():
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("starting httpd", self.start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
@@ -525,6 +526,8 @@ class HTTPInstance(service.Service):
except Exception:
pass
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')

39
debian/patches/fix-bind-conf.diff vendored Normal file
View File

@@ -0,0 +1,39 @@
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "/var/cache/bind"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
@@ -14,7 +14,7 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-keytab "/etc/named.keytab";
+ tkey-gssapi-keytab "/etc/bind/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
@@ -32,12 +32,13 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
+// included below
+//zone "." IN {
+// type hint;
+// file "named.ca";
+//};
-include "/etc/named.rfc1912.zones";
+include "/etc/bind/named.conf.default-zones";
dynamic-db "ipa" {
library "ldap.so";

77
debian/patches/fix-hyphen-used-as-minus-sign.patch vendored Normal file
View File

@@ -0,0 +1,77 @@
Description: Fix hyphen-used-as-minus-sign warning (found by Lintian).
See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for
an explanation.
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -107,7 +107,7 @@ The name of the user with administrative
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
-The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -70,13 +70,13 @@ Output only errors
.SH "EXAMPLES"
.TP
-\fBipa-replica-conncheck -m master.example.com\fR
+\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
-\fBipa-replica-conncheck -R replica.example.com\fR
+\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
-\fBipa-replica-conncheck -m master.example.com -a -r EXAMPLE.COM -w password\fR
+\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -49,7 +49,7 @@ Create home directories for users on the
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
+The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -22,7 +22,7 @@ ipa\-test\-config \- Generate FreeIPA te
.SH "SYNOPSIS"
ipa\-test\-config [options]
.br
-ipa\-test\-config [options] --global
+ipa\-test\-config [options] \-\-global
.br
ipa\-test\-config [options] hostname
.SH "DESCRIPTION"
@@ -37,7 +37,7 @@ If run without arguments, it prints out
host.
Another host may be specified as an argument, or via the \-\-master,
\-\-replica, and \-\-client options.
-With the --global option, it prints only configuration that is not specific to
+With the \-\-global option, it prints only configuration that is not specific to
any host.
.SH "OPTIONS"
--- a/ipatests/man/ipa-test-task.1
+++ b/ipatests/man/ipa-test-task.1
@@ -20,7 +20,7 @@
.SH "NAME"
ipa\-test\-task \- Run a task for FreeIPA testing
.SH "SYNOPSIS"
-ipa\-test\-task -h
+ipa\-test\-task \-h
.br
ipa\-test\-task [global-options] TASK [task-options]
.SH "DESCRIPTION"

48
debian/patches/fix-ipa-conf.diff vendored
View File

@@ -1,7 +1,7 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -47,7 +47,7 @@ FileETag None
@@ -38,7 +38,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
@@ -10,25 +10,16 @@ Description: Fix paths
# Configure mod_wsgi handler for /ipa
@@ -129,7 +129,7 @@ Alias /ipa/session/cookie "/usr/share/ip
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
SessionMaxAge 1800
- GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+ GssapiSessionKey file:/etc/apache2/ipasession.key
Header unset Set-Cookie
</Location>
@@ -149,7 +149,7 @@ Alias /ipa/session/cookie "/usr/share/ip
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
- ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
+ ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
@@ -183,8 +183,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
@@ -71,7 +71,7 @@ KrbConstrainedDelegationLock ipa
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
@@ -138,8 +138,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
@@ -39,3 +30,20 @@ Description: Fix paths
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
@@ -175,14 +175,14 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
</Directory>
# Protect our CGIs
-<Directory /var/www/cgi-bin>
+<Directory /usr/lib/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html

93
debian/patches/fix-manpage-has-errors-from-man.patch vendored Normal file
View File

@@ -0,0 +1,93 @@
Description: Fix manpage-has-errors-from-man warning (found by Lintian).
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- freeipa-4.0.2.orig/ipa-client/man/default.conf.5
+++ freeipa-4.0.2/ipa-client/man/default.conf.5
@@ -47,14 +47,14 @@ Valid lines consist of an option name, a
Values should not be quoted, the quotes will not be stripped.
-.np
+.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
-.fi
+.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
--- freeipa-4.0.2.orig/ipa-client/man/ipa-client-install.1
+++ freeipa-4.0.2/ipa-client/man/ipa-client-install.1
@@ -205,35 +205,47 @@ Unattended uninstallation. The user will
.TP
Files that will be replaced if SSSD is configured (default):
-/etc/sssd/sssd.conf\p
+/etc/sssd/sssd.conf
.TP
Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
-/etc/ldap.conf\p
-/etc/nss_ldap.conf\p
-/etc/libnss\-ldap.conf\p
-/etc/pam_ldap.conf\p
-/etc/nslcd.conf\p
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
.TP
Files replaced if NTP is enabled:
-/etc/ntp.conf\p
-/etc/sysconfig/ntpd\p
-/etc/ntp/step\-tickers\p
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
.TP
Files always created (replacing existing content):
-/etc/krb5.conf\p
-/etc/ipa/ca.crt\p
-/etc/ipa/default.conf\p
-/etc/openldap/ldap.conf\p
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/openldap/ldap.conf
.TP
Files updated, existing content is maintained:
-/etc/nsswitch.conf\p
-/etc/pki/nssdb\p
-/etc/krb5.keytab\p
-/etc/sysconfig/network\p
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
.SH "EXIT STATUS"
0 if the installation was successful

11
debian/patches/fix-match-hostname.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -25,7 +25,7 @@ from ipalib.errors import PasswordMismat
from ipalib.request import context
from ipalib.frontend import Local
-from backports.ssl_match_hostname import match_hostname
+from ssl import match_hostname
import base64
import uuid
import urllib

46
debian/patches/fix-named-conf-template.diff vendored
View File

@@ -1,46 +0,0 @@
Description: fix named.conf template
* extra logging disabled as it'd just duplicate everything
* zones are loaded via includes
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,9 +4,9 @@ options {
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
- dump-file "data/cache_dump.db";
- statistics-file "data/named_stats.txt";
- memstatistics-file "data/named_mem_stats.txt";
+ dump-file "cache_dump.db";
+ statistics-file "named_stats.txt";
+ memstatistics-file "named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
@@ -27,18 +27,14 @@ options {
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
-logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- print-time yes;
- };
-};
+//logging {
+// channel default_debug {
+// file "data/named.run";
+// severity dynamic;
+// print-time yes;
+// };
+//};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

81
debian/patches/fix-opendnssec-setup.diff vendored
View File

@@ -1,81 +0,0 @@
Description: Fix ODS setup with 2.0.x
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -8,7 +8,7 @@
<Module>$SOFTHSM_LIB</Module>
<TokenLabel>$TOKEN_LABEL</TokenLabel>
<PIN>$PIN</PIN>
- <AllowExtraction/>
+ <AllowExtraction/>
</Repository>
</RepositoryList>
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -282,20 +282,15 @@ class OpenDNSSECInstance(service.Service
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml
- cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
+ cmd = [paths.ODS_ENFORCER, 'zonelist', 'export']
result = ipautil.run(cmd,
runas=constants.ODS_USER,
capture_output=True)
- with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
- zonelistf.write(result.output)
- os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
- self.ods_uid, self.ods_gid)
- os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660)
else:
# initialize new kasp.db
command = [
- paths.ODS_KSMUTIL,
+ paths.ODS_ENFORCER_SETUP,
'setup'
]
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -167,7 +167,8 @@ class BasePathNamespace(object):
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
- ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+ ODS_ENFORCER_SETUP = "/usr/sbin/ods-enforcer-db-setup"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -12,6 +12,7 @@ except ImportError:
from xml.etree import ElementTree as etree
from ipapython import ipa_log_manager, ipautil
+from ipaplatform.paths import paths
logger = logging.getLogger(__name__)
@@ -131,17 +132,18 @@ class ODSMgr(object):
self.zl_ldap = LDAPZoneListReader()
def ksmutil(self, params):
- """Call ods-ksmutil with given parameters and return stdout.
+ """Call ods-enforcer with given parameters and return stdout.
Raises CalledProcessError if returncode != 0.
"""
- cmd = ['ods-ksmutil'] + params
+ cmd = [paths.ODS_ENFORCER] + params
result = ipautil.run(cmd, capture_output=True)
return result.output
def get_ods_zonelist(self):
stdout = self.ksmutil(['zonelist', 'export'])
- reader = ODSZoneListReader(stdout)
+ with open(paths.OPENDNSSEC_ZONELIST_FILE) as f:
+ reader = ODSZoneListReader(f.read())
return reader
def add_ods_zone(self, uuid, name):

13
debian/patches/fix-pykerberos-api.diff vendored Normal file
View File

@@ -0,0 +1,13 @@
Description: we have a newer pykerberos than Fedora
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 81e7aa3..ce5f2a0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
+ (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)

11
debian/patches/fix-replicainstall.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -758,7 +758,7 @@ def install_check(installer):
finally:
shutil.rmtree(tmp_db_dir)
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ ldapuri = 'ldap://%s' % ipautil.format_netloc(config.master_host_name)
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True,
context='installer',

14
debian/patches/fix-typo.patch vendored Normal file
View File

@@ -0,0 +1,14 @@
Description: Fix typo
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -140,7 +140,7 @@
in the logger tree. The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
-preceeding it with a backslash.
+preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.

14
debian/patches/hack-libarch.diff vendored
View File

@@ -1,14 +0,0 @@
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -330,9 +330,9 @@ class LDAPUpdate(object):
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:

11
debian/patches/no-test-lang.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/Makefile
+++ b/Makefile
@@ -114,7 +114,7 @@ client-dirs:
lint: bootstrap-autogen
./make-lint $(LINT_OPTIONS)
- $(MAKE) -C install/po validate-src-strings
+# $(MAKE) -C install/po validate-src-strings
test:

11
debian/patches/port-ipa-client-automount.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -311,7 +311,7 @@
Configure secure NFS
"""
replacevars = {
- 'SECURE_NFS': 'yes',
+ 'NEED_GSSD': 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
NFS_CONF, replacevars=replacevars)

70
debian/patches/prefix.patch vendored Normal file
View File

@@ -0,0 +1,70 @@
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Mon Jan 2 16:09:40 2012 +0200
use the debian layout when installing python modules
--- a/Makefile
+++ b/Makefile
@@ -96,11 +96,11 @@ client-install: client client-dirs
done
cd install/po && $(MAKE) install || exit 1;
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup-client.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup-client.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup-client.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup-client.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
client-dirs:
@@ -171,11 +171,11 @@ server: version-update
server-install: server
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
tests: version-update tests-man-autogen
@@ -186,7 +186,7 @@ tests-install: tests
if [ "$(DESTDIR)" = "" ]; then \
cd ipatests; $(PYTHON) setup.py install; \
else \
- cd ipatests; $(PYTHON) setup.py install --root $(DESTDIR); \
+ cd ipatests; $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
cd ipatests/man && $(MAKE) install
--- a/ipapython/Makefile
+++ b/ipapython/Makefile
@@ -14,7 +14,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
python2 setup.py install; \
else \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
--- a/ipapython/py_default_encoding/Makefile
+++ b/ipapython/py_default_encoding/Makefile
@@ -9,7 +9,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
python2 setup.py install; \
else \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
clean:

24
debian/patches/revert-pykerberos-api-change.diff vendored Normal file
View File

@@ -0,0 +1,24 @@
Description: so we don't need to patch pykerberos
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -59,15 +59,12 @@ def json_serialize(obj):
def get_current_principal():
try:
- import kerberos
- rc, vc = kerberos.authGSSClientInit("notempty")
- rc = kerberos.authGSSClientInquireCred(vc)
- username = kerberos.authGSSClientUserName(vc)
- kerberos.authGSSClientClean(vc)
- return unicode(username)
+ # krbV isn't necessarily available on client machines, fail gracefully
+ import krbV
+ return unicode(krbV.default_context().default_ccache().principal().name)
except ImportError:
- raise RuntimeError('python-kerberos is not available.')
- except kerberos.GSSError, e:
+ raise RuntimeError('python-krbV is not available.')
+ except krbV.Krb5Error:
#TODO: do a kinit?
raise errors.CCacheError()

22
debian/patches/series vendored
View File

@@ -1,13 +1,17 @@
# upstreamed
# not upstreamable
hack-libarch.diff
enable-mod-nss-during-setup.diff
work-around-apache-fail.diff
prefix.patch
no-test-lang.diff
port-ipa-client-automount.diff
# send upstream
fix-match-hostname.diff
add-debian-platform.diff
fix-hyphen-used-as-minus-sign.patch
fix-manpage-has-errors-from-man.patch
fix-typo.patch
fix-ipa-conf.diff
fix-replicainstall.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-opendnssec-setup.diff
support-kdb-dal-7.0.diff
fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
fix-bind-conf.diff
add-a-clear-openssl-exception.diff

90
debian/patches/support-kdb-dal-7.0.diff vendored
View File

@@ -1,90 +0,0 @@
commit 9f8700fceead6e7b4947dc86f161e78dabb5d186
Author: Robbie Harwood <rharwood@redhat.com>
Date: Mon Oct 9 11:39:09 2017 -0400
ipa-kdb: support KDB DAL version 7.0
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c0f1e276c..b11153ecc 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -709,7 +709,9 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+#if ((KRB5_KDB_DAL_MAJOR_VERSION == 6) || \
+ (KRB5_KDB_DAL_MAJOR_VERSION == 7)) && \
+ defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 1,
@@ -742,7 +744,8 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && (KRB5_KDB_DAL_MAJOR_VERSION != 6)
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 7)
#error unsupported DAL major version
#endif
-
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 72573a61a..be2f45752 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -326,6 +326,10 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 5f59bf33a..c68a67aa2 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -26,6 +26,10 @@
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4eac379ff..cb71fd7ae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -86,9 +86,13 @@ BuildRequires: openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
+%if 0%{?fedora} > 27
+BuildRequires: krb5-kdb-version = 7.0
+%else
%if 0%{?fedora} > 25
BuildRequires: krb5-kdb-version = 6.1
%endif
+%endif
BuildRequires: krb5-devel >= %{krb5_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4

25
debian/patches/work-around-apache-fail.diff vendored Normal file
View File

@@ -0,0 +1,25 @@
Description: service apache2 restart fails on sid, so don't do that
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1212,7 +1212,8 @@ def main():
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -124,7 +124,8 @@ class HTTPInstance(service.Service):
def __start(self):
self.backup_state("running", self.is_running())
- self.restart()
+ self.stop()
+ self.start()
def __enable(self):
self.backup_state("enabled", self.is_running())