websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 10dfc9587b 03a8170b15
commit 598845c89b
2451 changed files with 1922786 additions and 338191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
debian/patches/add-a-clear-openssl-exception.diff vendored
View File

@@ -1,49 +0,0 @@
commit d762f61d25508c1856c0fa7dc0ea1e032671542b
Author: Simo Sorce <simo@redhat.com>
Date: Fri Feb 20 08:46:40 2015 -0500
Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
diff --git a/COPYING.openssl b/COPYING.openssl
new file mode 100644
index 0000000..8a92460
--- /dev/null
+++ b/COPYING.openssl
@@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index 8ffa666..c6abd4b 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -18,6 +18,10 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * This file includes an "OpenSSL license exception", see the
+ * COPYING.openssl file for details.
+ *
*/
#include <stdbool.h>

542
debian/patches/add-debian-platform.diff vendored
View File

@@ -1,542 +0,0 @@
commit b076743f2cdd3a3cb9e8d0e8be7be8c90160fc21
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Fri Mar 1 12:21:00 2013 +0200
add debian platform support
--- /dev/null
+++ b/ipaplatform/debian/__init__.py
@@ -0,0 +1,22 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This module contains Debian specific platform files.
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,70 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This Debian base platform module exports default filesystem paths as common
+in Debian-based systems.
+"""
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+
+
+class DebianPathNamespace(BasePathNamespace):
+ ETC_HTTPD_DIR = "/etc/apache2"
+ HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+ HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+ HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+ HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+ IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+ HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
+ ETC_SYSCONFIG_DIR = "/etc/default"
+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
+ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
+ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
+ SYSCONFIG_PKI = "/etc/dogtag/"
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
+ SBIN_SERVICE = "/usr/sbin/service"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
+ HTTPD = "/usr/sbin/apache2ctl"
+ SETUP_DS_PL = "/usr/sbin/setup-ds"
+ VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+ VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+ CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
+ KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
+ VAR_LOG_HTTPD_DIR = "/var/log/apache2"
+ GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
+
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
@@ -0,0 +1,184 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Contains Debian-specific service class implementations.
+"""
+
+import time
+
+from ipaplatform.tasks import tasks
+from ipaplatform.base import services as base_services
+from ipaplatform.redhat import services as redhat_services
+from ipapython import ipautil
+from ipapython.ipa_log_manager import root_logger
+from ipalib import api
+from ipaplatform.paths import paths
+
+# Mappings from service names as FreeIPA code references to these services
+# to their actual systemd service names
+debian_system_units = redhat_services.redhat_system_units
+
+debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
+debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
+
+# Service classes that implement Debian-specific behaviour
+
+class DebianService(redhat_services.RedHatService):
+ system_units = debian_system_units
+
+
+class DebianSysvService(base_services.PlatformService):
+ def __wait_for_open_ports(self, instance_name=""):
+ """
+ If this is a service we need to wait for do so.
+ """
+ ports = None
+ if instance_name in base_services.wellknownports:
+ ports = base_services.wellknownports[instance_name]
+ else:
+ if self.service_name in base_services.wellknownports:
+ ports = base_services.wellknownports[self.service_name]
+ if ports:
+ ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
+ def stop(self, instance_name='', capture_output=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "stop",
+ instance_name], capture_output=capture_output)
+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
+ update_service_list = True
+ else:
+ update_service_list = False
+ super(DebianSysvService, self).stop(instance_name)
+
+ def start(self, instance_name='', capture_output=True, wait=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
+ instance_name], capture_output=capture_output)
+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
+ update_service_list = True
+ else:
+ update_service_list = False
+ if wait and self.is_running(instance_name):
+ self.__wait_for_open_ports(instance_name)
+ super(DebianSysvService, self).start(instance_name)
+
+ def restart(self, instance_name='', capture_output=True, wait=True):
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
+ instance_name], capture_output=capture_output)
+ if wait and self.is_running(instance_name):
+ self.__wait_for_open_ports(instance_name)
+
+ def is_running(self, instance_name=""):
+ ret = True
+ try:
+ (sout, serr, rcode) = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name])
+ if sout.find("NOT running") >= 0:
+ ret = False
+ if sout.find("stop") >= 0:
+ ret = False
+ except ipautil.CalledProcessError:
+ ret = False
+ return ret
+
+ def is_installed(self):
+ installed = True
+ try:
+ ipautil.run([paths.SBIN_SERVICE, self.service_name, "status"])
+ except ipautil.CalledProcessError, e:
+ if e.returncode == 1:
+ # service is not installed or there is other serious issue
+ installed = False
+ return installed
+
+ def is_enabled(self, instance_name=""):
+ # Services are always assumed to be enabled when installed
+ return True
+
+ def enable(self):
+ return True
+
+ def disable(self):
+ return True
+
+ def install(self):
+ return True
+
+ def remove(self):
+ return True
+
+ def tune_nofile_platform(self):
+ return True
+
+# For services which have no Debian counterpart
+class DebianNoService(base_services.PlatformService):
+ def restart(self):
+ return True
+
+ def disable(self):
+ return True
+
+
+class DebianSSHService(DebianSysvService):
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
+
+# Function that constructs proper Debian-specific server classes for services
+# of specified name
+
+def debian_service_class_factory(name):
+ if name == 'dirsrv':
+ return redhat_services.RedHatDirectoryService(name)
+ if name == 'domainname':
+ return DebianNoService(name)
+ if name == 'ipa':
+ return redhat_services.RedHatIPAService(name)
+ if name == 'httpd':
+ return DebianSysvService("apache2")
+ if name == 'kadmin':
+ return DebianSysvService("krb5-admin-server")
+ if name == 'krb5kdc':
+ return DebianSysvService("krb5-kdc")
+ if name == 'messagebus':
+ return DebianSysvService("dbus")
+ if name == 'named':
+ return DebianSysvService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'sshd':
+ return DebianSSHService(name)
+ return DebianService(name)
+
+
+# Magicdict containing DebianService instances.
+
+class DebianServices(base_services.KnownServices):
+ def __init__(self):
+ services = dict()
+ for s in base_services.wellknownservices:
+ services[s] = debian_service_class_factory(s)
+ # Call base class constructor. This will lock services to read-only
+ super(DebianServices, self).__init__(services)
+
+
+# Objects below are expected to be exported by platform module
+
+from ipaplatform.base.services import timedate_services
+service = debian_service_class_factory
+knownservices = DebianServices()
--- /dev/null
+++ b/ipaplatform/debian/tasks.py
@@ -0,0 +1,53 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
+# Copyright (C) 2014 Timo Aaltonen
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This module contains default Debian-specific implementations of system tasks.
+"""
+
+from ipaplatform.paths import paths
+from ipaplatform.base.tasks import *
+from ipaplatform.redhat.tasks import RedHatTaskNamespace
+
+class DebianTaskNamespace(RedHatTaskNamespace):
+
+ def restore_pre_ipa_client_configuration(self, fstore, statestore,
+ was_sssd_installed,
+ was_sssd_configured):
+ return True
+
+ def set_nisdomain(self, nisdomain):
+ return True
+
+ def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
+ return True
+
+ def modify_pam_to_use_krb5(self, statestore):
+ return True
+
+ def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
+ return True
+
+ def remove_ca_certs_from_systemwide_ca_store(self):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ return True
+
+tasks = DebianTaskNamespace()
--- a/ipaplatform/setup.py.in
+++ b/ipaplatform/setup.py.in
@@ -67,6 +67,7 @@ def setup_package():
package_dir = {'ipaplatform': ''},
packages = ["ipaplatform",
"ipaplatform.base",
+ "ipaplatform.debian",
"ipaplatform.fedora",
"ipaplatform.redhat",
"ipaplatform.rhel"],
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -46,6 +46,8 @@ class NTPInstance(service.Service):
os = "fedora"
elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
os = "rhel"
+ elif ipautil.file_exists(paths.ETC_DEBIAN_VERSION):
+ os = "debian"
srv_vals = []
srv_vals.append("0.%s.pool.ntp.org" % os)
@@ -105,9 +107,9 @@ class NTPInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
for opt in needopts:
if sline.find(opt['val']) != -1:
opt['need'] = False
@@ -123,12 +125,12 @@ class NTPInstance(service.Service):
for line in lines:
if not done:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
fd.write(line)
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
(variable, opts) = sline.split('=', 1)
- fd.write('OPTIONS="%s %s"\n' % (opts, ' '.join(newopts)))
+ fd.write('NTPD_OPTS="%s %s"\n' % (opts, ' '.join(newopts)))
done = True
else:
fd.write(line)
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -247,9 +247,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -118,6 +118,7 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -204,14 +205,14 @@ class HTTPInstance(service.Service):
self.move_service(self.principal)
self.add_cert_to_service()
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='www-data', raiseonerr=False, env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@@ -260,11 +261,11 @@ class HTTPInstance(service.Service):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def __set_mod_nss_passwordfile(self):
- installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+ installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
- if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+ if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf-available/ipa-rewrite.conf\n</VirtualHost>') != 0:
print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
def __setup_ssl(self):
@@ -305,7 +306,7 @@ class HTTPInstance(service.Service):
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -400,6 +401,8 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
if not enabled is None and not enabled:
self.disable()
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -148,7 +148,7 @@ class ServerCertInstall(admintool.AdminT
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1130,7 +1130,7 @@ class CAInstance(service.Service):
os.chmod(self.ra_agent_db + "/key3.db", 0640)
os.chmod(self.ra_agent_db + "/secmod.db", 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -740,7 +740,7 @@ class CertDB(object):
f.close()
pwdfile.close()
# TODO: replace explicit uid by a platform-specific one
- self.set_perms(self.pwd_conf, uid="apache")
+ self.set_perms(self.pwd_conf, uid="www-data")
def find_root_cert(self, nickname):
"""
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -483,7 +483,7 @@ class BindInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
- reverse_zone, named_user="named", zonemgr=None,
+ reverse_zone, named_user="bind", zonemgr=None,
ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
@@ -874,7 +874,7 @@ class BindInstance(service.Service):
def __generate_rndc_key(self):
installutils.check_entropy()
- ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ ipautil.run(paths.GENERATE_RNDC_KEY)
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False, ca_configured=None):
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

14
debian/patches/dnssec-race-wa.diff vendored Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 95029fd5e..9b800f509 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -306,6 +306,9 @@ class OpenDNSSECInstance(service.Service):
def __start(self):
self.restart() # needed to reload conf files
+ import time
+ while not os.path.exists('/run/opendnssec/enforcer.sock'):
+ time.sleep(1)
tasks.run_ods_policy_import()
if self.kasp_db_file:
# regenerate zonelist.xml

39
debian/patches/fix-bind-conf.diff vendored
View File

@@ -1,39 +0,0 @@
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "/var/cache/bind"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
@@ -14,7 +14,7 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-keytab "/etc/named.keytab";
+ tkey-gssapi-keytab "/etc/bind/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
@@ -32,12 +32,13 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
+// included below
+//zone "." IN {
+// type hint;
+// file "named.ca";
+//};
-include "/etc/named.rfc1912.zones";
+include "/etc/bind/named.conf.default-zones";
dynamic-db "ipa" {
library "ldap.so";

12
debian/patches/fix-chrony-service-name.diff vendored Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 812bbdaf2..9750fdeaa 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -20,6 +20,7 @@ debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
+debian_system_units['chronyd'] = 'chrony.service'
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'

77
debian/patches/fix-hyphen-used-as-minus-sign.patch vendored
View File

@@ -1,77 +0,0 @@
Description: Fix hyphen-used-as-minus-sign warning (found by Lintian).
See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for
an explanation.
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -107,7 +107,7 @@ The name of the user with administrative
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
-The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -70,13 +70,13 @@ Output only errors
.SH "EXAMPLES"
.TP
-\fBipa-replica-conncheck -m master.example.com\fR
+\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
-\fBipa-replica-conncheck -R replica.example.com\fR
+\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
-\fBipa-replica-conncheck -m master.example.com -a -r EXAMPLE.COM -w password\fR
+\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -49,7 +49,7 @@ Create home directories for users on the
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
+The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -22,7 +22,7 @@ ipa\-test\-config \- Generate FreeIPA te
.SH "SYNOPSIS"
ipa\-test\-config [options]
.br
-ipa\-test\-config [options] --global
+ipa\-test\-config [options] \-\-global
.br
ipa\-test\-config [options] hostname
.SH "DESCRIPTION"
@@ -37,7 +37,7 @@ If run without arguments, it prints out
host.
Another host may be specified as an argument, or via the \-\-master,
\-\-replica, and \-\-client options.
-With the --global option, it prints only configuration that is not specific to
+With the \-\-global option, it prints only configuration that is not specific to
any host.
.SH "OPTIONS"
--- a/ipatests/man/ipa-test-task.1
+++ b/ipatests/man/ipa-test-task.1
@@ -20,7 +20,7 @@
.SH "NAME"
ipa\-test\-task \- Run a task for FreeIPA testing
.SH "SYNOPSIS"
-ipa\-test\-task -h
+ipa\-test\-task \-h
.br
ipa\-test\-task [global-options] TASK [task-options]
.SH "DESCRIPTION"

49
debian/patches/fix-ipa-conf.diff vendored
View File

@@ -1,49 +0,0 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -38,7 +38,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
-WSGISocketPrefix /run/httpd/wsgi
+WSGISocketPrefix /run/apache2/wsgi
# Configure mod_wsgi handler for /ipa
@@ -71,7 +71,7 @@ KrbConstrainedDelegationLock ipa
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
@@ -138,8 +138,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
-Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
-Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
+Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/truetype/open-sans"
+Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/truetype/font-awesome"
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
@@ -175,14 +175,14 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
</Directory>
# Protect our CGIs
-<Directory /var/www/cgi-bin>
+<Directory /usr/lib/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html

93
debian/patches/fix-manpage-has-errors-from-man.patch vendored
View File

@@ -1,93 +0,0 @@
Description: Fix manpage-has-errors-from-man warning (found by Lintian).
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- freeipa-4.0.2.orig/ipa-client/man/default.conf.5
+++ freeipa-4.0.2/ipa-client/man/default.conf.5
@@ -47,14 +47,14 @@ Valid lines consist of an option name, a
Values should not be quoted, the quotes will not be stripped.
-.np
+.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
-.fi
+.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
--- freeipa-4.0.2.orig/ipa-client/man/ipa-client-install.1
+++ freeipa-4.0.2/ipa-client/man/ipa-client-install.1
@@ -205,35 +205,47 @@ Unattended uninstallation. The user will
.TP
Files that will be replaced if SSSD is configured (default):
-/etc/sssd/sssd.conf\p
+/etc/sssd/sssd.conf
.TP
Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
-/etc/ldap.conf\p
-/etc/nss_ldap.conf\p
-/etc/libnss\-ldap.conf\p
-/etc/pam_ldap.conf\p
-/etc/nslcd.conf\p
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
.TP
Files replaced if NTP is enabled:
-/etc/ntp.conf\p
-/etc/sysconfig/ntpd\p
-/etc/ntp/step\-tickers\p
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
.TP
Files always created (replacing existing content):
-/etc/krb5.conf\p
-/etc/ipa/ca.crt\p
-/etc/ipa/default.conf\p
-/etc/openldap/ldap.conf\p
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/openldap/ldap.conf
.TP
Files updated, existing content is maintained:
-/etc/nsswitch.conf\p
-/etc/pki/nssdb\p
-/etc/krb5.keytab\p
-/etc/sysconfig/network\p
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
.SH "EXIT STATUS"
0 if the installation was successful

11
debian/patches/fix-match-hostname.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -25,7 +25,7 @@ from ipalib.errors import PasswordMismat
from ipalib.request import context
from ipalib.frontend import Local
-from backports.ssl_match_hostname import match_hostname
+from ssl import match_hostname
import base64
import uuid
import urllib

13
debian/patches/fix-pykerberos-api.diff vendored
View File

@@ -1,13 +0,0 @@
Description: we have a newer pykerberos than Fedora
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 81e7aa3..ce5f2a0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
+ (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)

8
debian/patches/fix-sssd-socket-activation.diff vendored Normal file
View File

@@ -0,0 +1,8 @@
--- a/install/share/advise/legacy/sssd.conf.template
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -1,5 +1,4 @@
[sssd]
-services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

14
debian/patches/fix-typo.patch vendored
View File

@@ -1,14 +0,0 @@
Description: Fix typo
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -140,7 +140,7 @@
in the logger tree. The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
-preceeding it with a backslash.
+preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.

11
debian/patches/migrate-to-gpg.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -176,7 +176,7 @@ class BasePathNamespace:
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
- GPG2 = "/usr/bin/gpg2"
+ GPG2 = "/usr/bin/gpg"
GPG_CONF = "/usr/bin/gpgconf"
GPG_CONNECT_AGENT = "/usr/bin/gpg-connect-agent"
GPG_AGENT = "/usr/bin/gpg-agent"

11
debian/patches/no-test-lang.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/Makefile
+++ b/Makefile
@@ -114,7 +114,7 @@ client-dirs:
lint: bootstrap-autogen
./make-lint $(LINT_OPTIONS)
- $(MAKE) -C install/po validate-src-strings
+# $(MAKE) -C install/po validate-src-strings
test:

796
debian/patches/pkcs11-openssl-for-bind.diff vendored Normal file
View File

@@ -0,0 +1,796 @@
--- a/daemons/dnssec/ipa-dnskeysync-replica.in
+++ b/daemons/dnssec/ipa-dnskeysync-replica.in
@@ -145,7 +145,7 @@ def ldap2replica_zone_keys_sync(ldapkeyd
# IPA framework initialization
-standard_logging_setup(verbose=True, debug=True)
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/daemons/dnssec/ipa-dnskeysyncd.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.in
@@ -23,12 +23,9 @@ logger = logging.getLogger(os.path.basen
# IPA framework initialization
-standard_logging_setup(verbose=True)
+standard_logging_setup(debug=True)
api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
api.finalize()
-if api.env.debug:
- root_logger = logging.getLogger()
- root_logger.setLevel(logging.DEBUG)
# Global state
watcher_running = True
--- a/daemons/dnssec/ipa-ods-exporter.in
+++ b/daemons/dnssec/ipa-ods-exporter.in
@@ -29,12 +29,12 @@ import dns.dnssec
from gssapi.exceptions import GSSError
import six
import systemd.daemon
-import systemd.journal
import ipalib
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
+from ipapython.ipa_log_manager import standard_logging_setup
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -650,20 +650,8 @@ def cleanup_ldap_zone(ldap, dns_dn, zone
ldap.delete_entry(ldap_key)
-# this service is usually socket-activated
-root_logger = logging.getLogger()
-root_logger.addHandler(systemd.journal.JournalHandler())
-root_logger.setLevel(level=logging.DEBUG)
-
-if len(sys.argv) > 2:
- print(__doc__)
- sys.exit(1)
-# program was likely invoked from console, log to it
-elif len(sys.argv) == 2:
- console = logging.StreamHandler()
- root_logger.addHandler(console)
-
# IPA framework initialization
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -99,6 +99,15 @@
%global httpd_version 2.4.41-6.1
%endif
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+%if 0%{?fedora} >= 31
+ %global with_bind_pkcs11 0
+ %global openssl_pkcs11_version 0.4.10-6
+ %global softhsm_version 2.5.0-4
+%else
+ %global with_bind_pkcs11 1
+%endif
+
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -463,8 +472,13 @@ Requires: %{name}-server = %{version}-%{
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
+%if 0%{?with_bind_pkcs11}
Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
%if 0%{?fedora} >= 32
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
Requires: opendnssec >= 2.1.6-5
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,8 @@ dist_app_DATA = \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.named.conf.template \
+ bind.openssl.cnf.template \
+ bind.openssl.cryptopolicy.cnf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
--- /dev/null
+++ b/install/share/bind.openssl.cnf.template
@@ -0,0 +1,14 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- /dev/null
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_configuration
+engines = engine_section
+
+[ssl_configuration]
+system_default = crypto_policy
+
+[crypto_policy]
+.include $CRYPTO_POLICY_FILE
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -23,6 +23,8 @@ class BaseConstantsNamespace:
NAMED_USER = "named"
NAMED_GROUP = "named"
NAMED_DATA_DIR = "data/"
+ NAMED_OPTIONS_VAR = "OPTIONS"
+ NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -26,6 +26,7 @@ import os
class BasePathNamespace:
BIN_HOSTNAMECTL = "/bin/hostnamectl"
+ CRYPTO_POLICY_OPENSSLCNF_FILE = None
ECHO = "/bin/echo"
FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
GZIP = "/bin/gzip"
@@ -69,6 +70,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ DNSSEC_OPENSSL_CONF = None
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
@@ -253,8 +255,6 @@ class BasePathNamespace:
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
- NAMED = "/usr/sbin/named"
- NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
CHRONYC = "/usr/bin/chronyc"
CHRONYD = "/usr/sbin/chronyd"
PKIDESTROY = "/usr/sbin/pkidestroy"
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -27,4 +27,6 @@ class FedoraConstantsNamespace(RedHatCon
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
+ NAMED_OPENSSL_ENGINE = "pkcs11"
+
constants = FedoraConstantsNamespace()
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,8 @@ class FedoraPathNamespace(RedHatPathName
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -29,6 +29,8 @@ from ipaplatform.redhat import services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
+fedora_system_units['named'] = fedora_system_units['named-regular']
+fedora_system_units['named-conflict'] = fedora_system_units['named-pkcs11']
# Service classes that implement Fedora-specific behaviour
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedH
# of specified name
def fedora_service_class_factory(name, api=None):
+ if name in ['named', 'named-conflict']:
+ return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BaseP
class RedHatPathNamespace(BasePathNamespace):
+ CRYPTO_POLICY_OPENSSLCNF_FILE = (
+ '/etc/crypto-policies/back-ends/opensslcnf.config'
+ )
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] =
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
+redhat_system_units['named-conflict'] = redhat_system_units['named-regular']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -16,11 +16,14 @@ import stat
import six
import ipalib.constants
+
from ipapython.dn import DN
from ipapython import ipautil
+from ipaplatform.constants import constants as platformconstants
from ipaplatform.paths import paths
from ipaserver.dnssec.temp import TemporaryDirectory
+from ipaserver.install import installutils
logger = logging.getLogger(__name__)
@@ -133,8 +136,11 @@ class BINDMgr:
cmd.extend(['-f', 'KSK'])
if attrs.get('idnsSecKeyRevoke', [b'FALSE'])[0].upper() == b'TRUE':
cmd.extend(['-R', datetime.now().strftime(time_bindfmt)])
+ if platformconstants.NAMED_OPENSSL_ENGINE is not None:
+ cmd.extend(['-E', platformconstants.NAMED_OPENSSL_ENGINE])
cmd.append(zone.to_text())
+ installutils.check_entropy()
# keys has to be readable by ODS & named
result = ipautil.run(cmd, capture_output=True)
basename = result.output.strip()
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -663,7 +663,7 @@ class BindInstance(service.Service):
self.no_dnssec_validation = False
self.sub_dict = None
self.reverse_zones = ()
- self.named_regular = services.service('named-regular', api)
+ self.named_conflict = services.service('named-conflict', api)
suffix = ipautil.dn_attribute_property('_suffix')
@@ -770,7 +770,7 @@ class BindInstance(service.Service):
# named has to be started after softhsm initialization
# self.step("restarting named", self.__start)
- self.step("configuring named to start on boot", self.__enable)
+ self.step("configuring named to start on boot", self.switch_service)
self.step(
"changing resolv.conf to point to ourselves",
self.setup_resolv_conf
@@ -783,19 +783,16 @@ class BindInstance(service.Service):
def __start(self):
try:
- if self.get_state("running") is None:
- # first time store status
- self.backup_state("running", self.is_running())
self.restart()
except Exception as e:
logger.error("Named service failed to start (%s)", e)
print("named service failed to start")
+ def switch_service(self):
+ self.mask_conflict()
+ self.__enable()
+
def __enable(self):
- if self.get_state("enabled") is None:
- self.backup_state("enabled", self.is_running())
- self.backup_state("named-regular-enabled",
- self.named_regular.is_running())
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
@@ -806,20 +803,19 @@ class BindInstance(service.Service):
# don't crash, just report error
logger.error("DNS service already exists")
- # disable named, we need to run named-pkcs11 only
- if self.get_state("named-regular-running") is None:
- # first time store status
- self.backup_state("named-regular-running",
- self.named_regular.is_running())
+ def mask_conflict(self):
+ # disable named-conflict (either named or named-pkcs11)
try:
- self.named_regular.stop()
+ self.named_conflict.stop()
except Exception as e:
- logger.debug("Unable to stop named (%s)", e)
+ logger.debug("Unable to stop %s (%s)",
+ self.named_conflict.systemd_name, e)
try:
- self.named_regular.mask()
+ self.named_conflict.mask()
except Exception as e:
- logger.debug("Unable to mask named (%s)", e)
+ logger.debug("Unable to mask %s (%s)",
+ self.named_conflict.systemd_name, e)
def _get_dnssec_validation(self):
"""get dnssec-validation value
@@ -1318,11 +1314,6 @@ class BindInstance(service.Service):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
- running = self.restore_state("running")
- enabled = self.restore_state("enabled")
- named_regular_running = self.restore_state("named-regular-running")
- named_regular_enabled = self.restore_state("named-regular-enabled")
-
self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected())
try:
@@ -1337,23 +1328,10 @@ class BindInstance(service.Service):
ipautil.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)
- # disabled by default, by ldap_configure()
- if enabled:
- self.enable()
- else:
- self.disable()
-
- if running:
- self.restart()
- else:
- self.stop()
-
- self.named_regular.unmask()
- if named_regular_enabled:
- self.named_regular.enable()
+ self.disable()
+ self.stop()
- if named_regular_running:
- self.named_regular.start()
+ self.named_conflict.unmask()
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -4,11 +4,12 @@
from __future__ import print_function, absolute_import
-import logging
import errno
+import grp
+import logging
import os
import pwd
-import grp
+import re
import shutil
import stat
@@ -56,10 +57,10 @@ class DNSKeySyncInstance(service.Service
keytab=paths.IPA_DNSKEYSYNCD_KEYTAB
)
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
- self.named_uid = None
- self.named_gid = None
- self.ods_uid = None
- self.ods_gid = None
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+ self.ods_uid = self.__get_ods_uid()
+ self.ods_gid = self.__get_ods_gid()
suffix = ipautil.dn_attribute_property('_suffix')
@@ -67,12 +68,6 @@ class DNSKeySyncInstance(service.Service
"""
Setting up correct permissions to allow write/read access for daemons
"""
- if self.named_uid is None:
- self.named_uid = self.__get_named_uid()
-
- if self.named_gid is None:
- self.named_gid = self.__get_named_gid()
-
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
# dnssec daemons require to have access into the directory
@@ -133,20 +128,19 @@ class DNSKeySyncInstance(service.Service
except KeyError:
raise RuntimeError("Named GID not found")
- def __check_dnssec_status(self):
- self.named_uid = self.__get_named_uid()
- self.named_gid = self.__get_named_gid()
-
+ def __get_ods_uid(self):
try:
- self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
+ return pwd.getpwnam(constants.ODS_USER).pw_uid
except KeyError:
raise RuntimeError("OpenDNSSEC UID not found")
+ def __get_ods_gid(self):
try:
- self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
+ return grp.getgrnam(constants.ODS_GROUP).gr_gid
except KeyError:
raise RuntimeError("OpenDNSSEC GID not found")
+ def __check_dnssec_status(self):
if not dns_container_exists(self.suffix):
raise RuntimeError("DNS container does not exist")
@@ -164,10 +158,94 @@ class DNSKeySyncInstance(service.Service
self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, })
- def __setup_softhsm(self):
- assert self.ods_uid is not None
- assert self.named_gid is not None
+ def _are_named_options_configured(self, options):
+ """Check whether the sysconfig of named is patched
+ Additional command line options for named are passed
+ via OPTIONS env variable. Since custom options can be
+ supplied by a vendor, at least, the base parsing of such
+ is required.
+ Current named command line options:
+ NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:M:m:n:N:p:P:sS:t:T:U:u:vVx:X:"
+ If there are several same options the last passed wins.
+ """
+ if options:
+ pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)"
+ engines = re.findall(pattern, options)
+ if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE:
+ return True
+
+ return False
+
+ def setup_named_openssl_conf(self):
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ logger.debug("Setup OpenSSL config for BIND")
+ # setup OpenSSL config for BIND,
+ # this one is needed because FreeIPA installation
+ # disables p11-kit-proxy PKCS11 module
+ conf_file_dict = {
+ 'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
+ 'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
+ 'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
+ }
+ if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
+ opensslcnf_tmpl = "bind.openssl.cnf.template"
+ else:
+ opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
+
+ named_openssl_txt = ipautil.template_file(
+ os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
+ conf_file_dict
+ )
+ with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o640)
+ os.fchown(f.fileno(), 0, self.named_gid)
+ f.write(named_openssl_txt)
+
+ def setup_named_sysconfig(self):
+ logger.debug("Setup BIND sysconfig")
+ sysconfig = paths.SYSCONFIG_NAMED
+ self.fstore.backup_file(sysconfig)
+
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ options = directivesetter.get_directive(
+ paths.SYSCONFIG_NAMED,
+ constants.NAMED_OPTIONS_VAR,
+ separator="="
+ ) or ''
+ if not self._are_named_options_configured(options):
+ engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE)
+ new_options = ' '.join([options, engine_cmd])
+ directivesetter.set_directive(
+ sysconfig,
+ constants.NAMED_OPTIONS_VAR, new_options,
+ quotes=True, separator='=')
+
+ def setup_ipa_dnskeysyncd_sysconfig(self):
+ logger.debug("Setup ipa-dnskeysyncd sysconfig")
+ sysconfig = paths.SYSCONFIG_IPA_DNSKEYSYNCD
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ def __setup_softhsm(self):
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
@@ -186,23 +264,15 @@ class DNSKeySyncInstance(service.Service
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
logger.debug("Creating new softhsm config file")
- named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(softhsm_conf_txt)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
-
- # setting up named to use softhsm2
- if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
- self.fstore.backup_file(paths.SYSCONFIG_NAMED)
-
- # setting up named and ipa-dnskeysyncd to use our softhsm2 config
- for sysconfig in [paths.SYSCONFIG_NAMED,
- paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
- directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF',
- paths.DNSSEC_SOFTHSM2_CONF,
- quotes=False, separator='=')
+ with open(paths.DNSSEC_SOFTHSM2_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o644)
+ f.write(softhsm_conf_txt)
+
+ # setting up named and ipa-dnskeysyncd to use our softhsm2 and
+ # openssl configs
+ self.setup_named_openssl_conf()
+ self.setup_named_sysconfig()
+ self.setup_ipa_dnskeysyncd_sysconfig()
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
@@ -231,23 +301,17 @@ class DNSKeySyncInstance(service.Service
entropy_bits=0, special=None, min_len=pin_length)
logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770)
- # chown to ods:named
- os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
+ with open(paths.DNSSEC_SOFTHSM_PIN, 'w') as f:
+ # chown to ods:named
+ os.fchown(f.fileno(), self.ods_uid, self.named_gid)
+ os.fchmod(f.fileno(), 0o660)
+ f.write(pin)
logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin_so)
- named_fd.close()
- # owner must be root
- os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400)
+ with open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') as f:
+ # owner must be root
+ os.fchmod(f.fileno(), 0o400)
+ f.write(pin_so)
# initialize SoftHSM
@@ -377,7 +441,7 @@ class DNSKeySyncInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid)
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
# chown to ods:named
os.chown(file_path, self.ods_uid, self.named_gid)
@@ -389,7 +453,6 @@ class DNSKeySyncInstance(service.Service
logger.error("DNSKeySync service already exists")
def __setup_principal(self):
- assert self.ods_gid is not None
ipautil.remove_keytab(self.keytab)
installutils.kadmin_addprinc(self.principal)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -185,6 +185,7 @@ class Backup(admintool.AdminTool):
paths.OPENDNSSEC_KASP_FILE,
paths.OPENDNSSEC_ZONELIST_FILE,
paths.OPENDNSSEC_KASP_DB,
+ paths.DNSSEC_OPENSSL_CONF,
paths.DNSSEC_SOFTHSM2_CONF,
paths.DNSSEC_SOFTHSM_PIN_SO,
paths.IPA_ODS_EXPORTER_KEYTAB,
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -106,9 +106,9 @@ def install(api, replica_config, options
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
- # Restarted named-pkcs11 to restore bind-dyndb-ldap operation, see
+ # Restarted named to restore bind-dyndb-ldap operation, see
# https://pagure.io/freeipa/issue/5813
- named = services.knownservices.named # alias for named-pkcs11
+ named = services.knownservices.named # alias for current named
if named.is_running():
named.restart(capture_output=True)
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -269,7 +269,7 @@ class OpenDNSSECInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid) # chown to ods:named
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
os.chown(file_path, self.ods_uid, self.named_gid) # chown to ods:named
finally:
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -509,6 +509,24 @@ def ca_initialize_hsm_state(ca):
ca.set_hsm_state(config)
+def dnssec_set_openssl_engine(dnskeysyncd):
+ """
+ Setup OpenSSL engine for BIND
+ """
+ if constants.NAMED_OPENSSL_ENGINE is None:
+ return False
+
+ if sysupgrade.get_upgrade_state('dns', 'openssl_engine'):
+ return False
+
+ logger.info('[Set OpenSSL engine for BIND]')
+ dnskeysyncd.setup_named_openssl_conf()
+ dnskeysyncd.setup_named_sysconfig()
+ dnskeysyncd.setup_ipa_dnskeysyncd_sysconfig()
+ sysupgrade.set_upgrade_state('dns', 'openssl_engine', True)
+
+ return True
+
def certificate_renewal_update(ca, kra, ds, http):
"""
@@ -1395,7 +1413,10 @@ def upgrade_bind(fstore):
logger.info("DNS service is not configured")
return False
- # get rid of old upgrade states
+ bind_switch_service(bind)
+
+ # get rid of old states
+ bind_old_states(bind)
bind_old_upgrade_states()
# only upgrade with drop-in is missing and /etc/resolv.conf is a link to
@@ -1428,6 +1449,38 @@ def upgrade_bind(fstore):
return changed
+def bind_switch_service(bind):
+ """
+ Mask either named or named-pkcs11, we need to run only one,
+ running both can cause unexpected errors.
+ """
+ named_conflict_name = bind.named_conflict.systemd_name
+ named_conflict_old = sysupgrade.get_upgrade_state('dns', 'conflict_named')
+
+ # nothing changed
+ if named_conflict_old and named_conflict_old == named_conflict_name:
+ return False
+
+ bind.switch_service()
+
+ sysupgrade.set_upgrade_state('dns', 'conflict_named', named_conflict_name)
+ return True
+
+
+def bind_old_states(bind):
+ """Remove old states
+ """
+ # no longer used states
+ old_states = [
+ "enabled",
+ "running",
+ "named-regular-enabled",
+ "named-regular-running",
+ ]
+ for state in old_states:
+ bind.delete_state(state)
+
+
def bind_old_upgrade_states():
"""Remove old upgrade states
"""
@@ -1673,6 +1726,9 @@ def upgrade_configuration():
if not dnskeysyncd.is_configured():
dnskeysyncd.create_instance(fqdn, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
+ else:
+ if dnssec_set_openssl_engine(dnskeysyncd):
+ dnskeysyncd.start_dnskeysyncd()
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -533,6 +533,9 @@ class Service:
def get_state(self, key):
return self.sstore.get_state(self.service_name, key)
+ def delete_state(self, key):
+ self.sstore.delete_state(self.service_name, key)
+
def print_msg(self, message):
print_msg(message, self.output_fd)
@@ -660,6 +663,7 @@ class Service:
]
extra_config_opts.extend(config)
+ self.unmask()
self.disable()
set_service_entry_config(
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -989,7 +989,7 @@ class TestIPACommand(IntegrationTest):
# get minimum version from current crypto-policy
openssl_cnf = self.master.get_file_contents(
- "/etc/crypto-policies/back-ends/opensslcnf.config",
+ paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
encoding="utf-8"
)
mo = re.search(r"MinProtocol\s*=\s*(TLSv[0-9.]+)", openssl_cnf)

11
debian/patches/port-ipa-client-automount.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -311,7 +311,7 @@
Configure secure NFS
"""
replacevars = {
- 'SECURE_NFS': 'yes',
+ 'NEED_GSSD': 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
NFS_CONF, replacevars=replacevars)

70
debian/patches/prefix.patch vendored
View File

@@ -1,70 +0,0 @@
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Mon Jan 2 16:09:40 2012 +0200
use the debian layout when installing python modules
--- a/Makefile
+++ b/Makefile
@@ -96,11 +96,11 @@ client-install: client client-dirs
done
cd install/po && $(MAKE) install || exit 1;
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup-client.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup-client.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup-client.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup-client.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
client-dirs:
@@ -171,11 +171,11 @@ server: version-update
server-install: server
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
tests: version-update tests-man-autogen
@@ -186,7 +186,7 @@ tests-install: tests
if [ "$(DESTDIR)" = "" ]; then \
cd ipatests; $(PYTHON) setup.py install; \
else \
- cd ipatests; $(PYTHON) setup.py install --root $(DESTDIR); \
+ cd ipatests; $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
cd ipatests/man && $(MAKE) install
--- a/ipapython/Makefile
+++ b/ipapython/Makefile
@@ -14,7 +14,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
python2 setup.py install; \
else \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
--- a/ipapython/py_default_encoding/Makefile
+++ b/ipapython/py_default_encoding/Makefile
@@ -9,7 +9,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
python2 setup.py install; \
else \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
clean:

24
debian/patches/revert-pykerberos-api-change.diff vendored
View File

@@ -1,24 +0,0 @@
Description: so we don't need to patch pykerberos
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -59,15 +59,12 @@ def json_serialize(obj):
def get_current_principal():
try:
- import kerberos
- rc, vc = kerberos.authGSSClientInit("notempty")
- rc = kerberos.authGSSClientInquireCred(vc)
- username = kerberos.authGSSClientUserName(vc)
- kerberos.authGSSClientClean(vc)
- return unicode(username)
+ # krbV isn't necessarily available on client machines, fail gracefully
+ import krbV
+ return unicode(krbV.default_context().default_ccache().principal().name)
except ImportError:
- raise RuntimeError('python-kerberos is not available.')
- except kerberos.GSSError, e:
+ raise RuntimeError('python-krbV is not available.')
+ except krbV.Krb5Error:
#TODO: do a kinit?
raise errors.CCacheError()

22
debian/patches/series vendored
View File

@@ -1,17 +1,11 @@
# upstreamed
pkcs11-openssl-for-bind.diff
# not upstreamable
work-around-apache-fail.diff
prefix.patch
no-test-lang.diff
port-ipa-client-automount.diff
# send upstream
fix-match-hostname.diff
add-debian-platform.diff
fix-hyphen-used-as-minus-sign.patch
fix-manpage-has-errors-from-man.patch
fix-typo.patch
fix-ipa-conf.diff
fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
fix-bind-conf.diff
add-a-clear-openssl-exception.diff
migrate-to-gpg.diff
dnssec-race-wa.diff
use-bind9.16.diff
fix-sssd-socket-activation.diff
fix-chrony-service-name.diff

24
debian/patches/use-bind9.16.diff vendored Normal file
View File

@@ -0,0 +1,24 @@
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -58,7 +58,7 @@ class DebianPathNamespace(BasePathNamesp
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
- SYSCONFIG_NAMED = "/etc/default/bind9"
+ SYSCONFIG_NAMED = "/etc/default/named"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -23,8 +23,8 @@ debian_system_units = redhat_services.re
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
-debian_system_units['named-regular'] = 'bind9.service'
-debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
+debian_system_units['named-regular'] = 'named.service'
+debian_system_units['named-pkcs11'] = 'named-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']

25
debian/patches/work-around-apache-fail.diff vendored
View File

@@ -1,25 +0,0 @@
Description: service apache2 restart fails on sid, so don't do that
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1212,7 +1212,8 @@ def main():
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -124,7 +124,8 @@ class HTTPInstance(service.Service):
def __start(self):
self.backup_state("running", self.is_running())
- self.restart()
+ self.stop()
+ self.start()
def __enable(self):
self.backup_state("enabled", self.is_running())