websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Debian changes 4.12.4-1

Browse Source 
freeipa (4.12.4-1) unstable; urgency=medium
.
  * New upstream release.
    - CVE-2024-11029 (Closes: #1093383)
    - CVE-2025-4404 (Closes: #1108050)
  * control: Demote libnss-myhostname to Suggests. (ref. #1006829)
  * patches: Fix samba lock directory location. (Closes: #1012593)
  * patches: Map nobody group to nogroup on Debian. (Closes: #1012592)
.
freeipa (4.12.2-3) unstable; urgency=medium
.
  * control: Add libnss-myhostname to client depends. (Closes: #1006829)
  * control: Add python3-ifaddr to ipalib depends. (Closes: #1089716)
  * control: Add python3-sphinx to build-depends. (Closes: #1003179,
    #1044642, #1049799)
.
freeipa (4.12.2-2) unstable; urgency=medium
.
  * control: Migrate to bind9-dnsutils. (Closes: #1094939)
.
freeipa (4.12.2-1) unstable; urgency=medium
.
  * New upstream release.
    - CVE-2024-2698 (Closes: #1077682)
    - CVE-2024-3183 (Closes: #1077683)
  * control: Drop conflicts on systemd-timesyncd as upstream recognizes
    it now. (Closes: #1072168)
  * use-raw-strings.diff: Dropped, upstream.
  * rules: Fix installing bash-completions. (Closes: #1089329)
  * control: Drop python3-nose from build-depends, unused. (Closes:
    #1018359)
.
freeipa (4.11.1-2.1) unstable; urgency=medium
.
  * Non-maintainer upload.
  * Replace systemd Build-Depends with systemd-dev for systemd.pc.
    (Closes: #1060469)
.
freeipa (4.11.1-2) unstable; urgency=medium
.
  * use-raw-strings.diff: Import patch from upstream to fix noise when
    installing. (LP: #2060298)
  * map-ssh-service.diff: Map sshd service to use ssh.service. (LP:
    #2061055)
.
freeipa (4.11.1-1) unstable; urgency=medium
.
  * New upstream release.
  * control: Add sssd-passkey to freeipa-client Recommends.
  * control.server: Drop python3-paste from python3-ipatests depends,
    obsolete.
  * control, rules: Replace hardcoded librpm9 depends. (Closes:
    #1067570)
.
freeipa (4.10.2-2) unstable; urgency=medium
.
  [ Timo Aaltonen ]
  * control: Bump certmonger dependency.
.
  [ Helmut Grohne ]
  * Fix FTBFS when systemd.pc changes systemdsystemunitdir. (Closes:
    #1052641)
.
freeipa (4.10.2-1) unstable; urgency=medium
.
  * New upstream release.
  * control: Bump sssd, bind9 depends.
  * source: Update extend-diff-ignore.
  * copyright, source: Fix some lintian issues/overrides.
  * server-trust-ad: Add a lintian override for the samba plugin rpath.
  * source: Add a lintian override for client-only build; empty-debian-
    tests-control.
.
freeipa (4.9.11-1) unstable; urgency=medium
.
  * New upstream release. (Closes: #1029070)
  * control: Add systemd-timesyncd to freeipa-client Conflicts. (Closes:
    #1008195)
  * patches: Drop upstreamed patches.
  * source: Extend diff-ignore.
  * server.install: Updated.
.
freeipa (4.9.8-1) unstable; urgency=medium
.
  * New upstream release.
  * patches: Drop upstreamed patch.
  * server.install: Updated.
  * Build only the client in order to be able to backport to bullseye.
    (Closes: #996946)
  * control: Depend on librpm9 instead of librpm8.
  * tests: Disabled for a client-only build.
.
freeipa (4.9.7-3) unstable; urgency=medium
.
  * tests: Set KRB5_TRACE to use stderr.
  * patches: Fix apache group properly.
  * client: Move .tmpfile -> .tmpfiles.
  * control: Bump debhelper to 13, gain dh_installtmpfiles being run.
  * control, rules: Add --without-ipa-join-xml and drop libxmlrpc from depends.
  * server.postinst: Drop creating old ccaches for mod_auth_gssapi, obsolete.
  * server.postinst: Drop old upgrade rules.
  * patches: Fix named keytab name.
.
freeipa (4.9.7-2) unstable; urgency=medium
.
  * lintian: Drop override on python-script-but-no-python-dep, which doesn't
    exist anymore.
  * rules: Add fortify flag to CFLAGS, as CPPFLAGS isn't used by the project.
  * ci: Drop allowed failure for blhc, it passes now.
  * control: Build-depend on libcurl4-openssl-dev.
  * fix-paths.diff: Fix some paths in ipaplatform/base.
  * fix-apache-group.diff: Fix apache group name in ipa.conf tmpfile.
  * control: Depend on gpg instead of gnupg.
  * control: Drop libwbclient-sssd from freeipa-client-samba Depends.
  * patches: Import a patch to fix ipa cert-find. (Closes: #997952)
.
freeipa (4.9.7-1) unstable; urgency=medium
.
  * New upstream release.
  * control: Drop obsolete depends on python3-nss.
  * pkcs11-openssl-for-bind.diff,
    migrate-to-gpg.diff,
    use-bind9.16.diff,
    fix-chrony-service-name.diff:
    - Dropped, upstream.
  * watch: Fixed to find upstream rc's.
  * source: Update extend-diff-ignore.
  * control: Add libcurl-dev, libjansson-dev and libpwquality-dev to
    build-depends.
  * install: Added new files.
  * rules: Drop ipasphinx files for now.
  * control: Drop dependency on custodia, not needed.
  * control: Bump 389-ds-base depends.
  * control: Drop python3-coverage depends, it's not used.
  * control: Bump dogtag depends.
This commit is contained in:
Timo Aaltonen
2025-06-25 12:40:45 +03:00
committed by geos_one
parent 0d0dcf1c8a 9181ee2487
commit 7a3070709b
1663 changed files with 874545 additions and 555555 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
debian/changelog vendored
View File

@@ -1,3 +1,167 @@
freeipa (4.12.4-1) unstable; urgency=medium
* New upstream release.
- CVE-2024-11029 (Closes: #1093383)
- CVE-2025-4404 (Closes: #1108050)
* control: Demote libnss-myhostname to Suggests. (ref. #1006829)
* patches: Fix samba lock directory location. (Closes: #1012593)
* patches: Map nobody group to nogroup on Debian. (Closes: #1012592)
-- Timo Aaltonen <tjaalton@debian.org> Wed, 25 Jun 2025 12:40:45 +0300
freeipa (4.12.2-3) unstable; urgency=medium
* control: Add libnss-myhostname to client depends. (Closes: #1006829)
* control: Add python3-ifaddr to ipalib depends. (Closes: #1089716)
* control: Add python3-sphinx to build-depends. (Closes: #1003179,
#1044642, #1049799)
-- Timo Aaltonen <tjaalton@debian.org> Tue, 04 Feb 2025 21:06:42 +0200
freeipa (4.12.2-2) unstable; urgency=medium
* control: Migrate to bind9-dnsutils. (Closes: #1094939)
-- Timo Aaltonen <tjaalton@debian.org> Sat, 01 Feb 2025 20:09:51 +0200
freeipa (4.12.2-1) unstable; urgency=medium
* New upstream release.
- CVE-2024-2698 (Closes: #1077682)
- CVE-2024-3183 (Closes: #1077683)
* control: Drop conflicts on systemd-timesyncd as upstream recognizes
it now. (Closes: #1072168)
* use-raw-strings.diff: Dropped, upstream.
* rules: Fix installing bash-completions. (Closes: #1089329)
* control: Drop python3-nose from build-depends, unused. (Closes:
#1018359)
-- Timo Aaltonen <tjaalton@debian.org> Mon, 09 Dec 2024 15:34:56 +0200
freeipa (4.11.1-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Replace systemd Build-Depends with systemd-dev for systemd.pc.
(Closes: #1060469)
-- Michael Biebl <biebl@debian.org> Wed, 17 Jul 2024 19:35:06 +0200
freeipa (4.11.1-2) unstable; urgency=medium
* use-raw-strings.diff: Import patch from upstream to fix noise when
installing. (LP: #2060298)
* map-ssh-service.diff: Map sshd service to use ssh.service. (LP:
#2061055)
-- Timo Aaltonen <tjaalton@debian.org> Fri, 12 Apr 2024 14:31:35 +0300
freeipa (4.11.1-1) unstable; urgency=medium
* New upstream release.
* control: Add sssd-passkey to freeipa-client Recommends.
* control.server: Drop python3-paste from python3-ipatests depends,
obsolete.
* control, rules: Replace hardcoded librpm9 depends. (Closes:
#1067570)
-- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Apr 2024 15:59:30 +0300
freeipa (4.10.2-2) unstable; urgency=medium
[ Timo Aaltonen ]
* control: Bump certmonger dependency.
[ Helmut Grohne ]
* Fix FTBFS when systemd.pc changes systemdsystemunitdir. (Closes:
#1052641)
-- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Oct 2023 12:46:48 +0300
freeipa (4.10.2-1) unstable; urgency=medium
* New upstream release.
* control: Bump sssd, bind9 depends.
* source: Update extend-diff-ignore.
* copyright, source: Fix some lintian issues/overrides.
* server-trust-ad: Add a lintian override for the samba plugin rpath.
* source: Add a lintian override for client-only build; empty-debian-
tests-control.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 10 Aug 2023 11:16:37 +0300
freeipa (4.9.11-1) unstable; urgency=medium
* New upstream release. (Closes: #1029070)
* control: Add systemd-timesyncd to freeipa-client Conflicts. (Closes:
#1008195)
* patches: Drop upstreamed patches.
* source: Extend diff-ignore.
* server.install: Updated.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Jan 2023 18:22:38 +0200
freeipa (4.9.8-1) unstable; urgency=medium
* New upstream release.
* patches: Drop upstreamed patch.
* server.install: Updated.
* Build only the client in order to be able to backport to bullseye.
(Closes: #996946)
* control: Depend on librpm9 instead of librpm8.
* tests: Disabled for a client-only build.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 15 Dec 2021 16:41:25 +0200
freeipa (4.9.7-3) unstable; urgency=medium
* tests: Set KRB5_TRACE to use stderr.
* patches: Fix apache group properly.
* client: Move .tmpfile -> .tmpfiles.
* control: Bump debhelper to 13, gain dh_installtmpfiles being run.
* control, rules: Add --without-ipa-join-xml and drop libxmlrpc from depends.
* server.postinst: Drop creating old ccaches for mod_auth_gssapi, obsolete.
* server.postinst: Drop old upgrade rules.
* patches: Fix named keytab name.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 18 Nov 2021 21:20:16 +0200
freeipa (4.9.7-2) unstable; urgency=medium
* lintian: Drop override on python-script-but-no-python-dep, which doesn't
exist anymore.
* rules: Add fortify flag to CFLAGS, as CPPFLAGS isn't used by the project.
* ci: Drop allowed failure for blhc, it passes now.
* control: Build-depend on libcurl4-openssl-dev.
* fix-paths.diff: Fix some paths in ipaplatform/base.
* fix-apache-group.diff: Fix apache group name in ipa.conf tmpfile.
* control: Depend on gpg instead of gnupg.
* control: Drop libwbclient-sssd from freeipa-client-samba Depends.
* patches: Import a patch to fix ipa cert-find. (Closes: #997952)
-- Timo Aaltonen <tjaalton@debian.org> Wed, 17 Nov 2021 15:40:55 +0200
freeipa (4.9.7-1) unstable; urgency=medium
* New upstream release.
* control: Drop obsolete depends on python3-nss.
* pkcs11-openssl-for-bind.diff,
migrate-to-gpg.diff,
use-bind9.16.diff,
fix-chrony-service-name.diff:
- Dropped, upstream.
* watch: Fixed to find upstream rc's.
* source: Update extend-diff-ignore.
* control: Add libcurl-dev, libjansson-dev and libpwquality-dev to
build-depends.
* install: Added new files.
* rules: Drop ipasphinx files for now.
* control: Drop dependency on custodia, not needed.
* control: Bump 389-ds-base depends.
* control: Drop python3-coverage depends, it's not used.
* control: Bump dogtag depends.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 13 Oct 2021 15:19:00 +0300
freeipa (4.8.10-2) unstable; urgency=medium
* client: Drop obsolete nssdb migration, which is now causing an

225
debian/control vendored
View File

@@ -9,21 +9,23 @@ Vcs-Browser: https://salsa.debian.org/freeipa-team/freeipa
Homepage: http://www.freeipa.org
Build-Depends:
check,
debhelper-compat (= 12),
debhelper-compat (= 13),
dh-python,
gettext,
krb5-user,
libcmocka-dev,
libcurl4-openssl-dev,
libini-config-dev,
libjansson-dev,
libkrad-dev,
libkrb5-dev (>= 1.16),
libkrb5-dev (>= 1.18),
libldap2-dev,
libnspr4-dev,
libpopt-dev,
librpm-dev,
libsasl2-dev,
libssl-dev,
libtalloc-dev,
libxmlrpc-core-c3-dev (>= 1.33.06),
python3-all-dev,
python3-cryptography,
python3-dbus,
@@ -38,31 +40,17 @@ Build-Depends:
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nose,
python3-nss (>= 0.16.0),
python3-polib,
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-setuptools,
python3-six,
python3-sphinx,
python3-sss (>= 1.14.0),
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
systemd-dev,
uuid-dev,
389-ds-base-dev (>= 1.3.7.9),
libsss-idmap-dev,
libsss-certmap-dev,
libsss-nss-idmap-dev (>= 1.14.0),
libtevent-dev,
libunistring-dev,
libverto-dev,
nodejs [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x],
pki-base (>= 10.6.0~),
python3-lesscpy,
python3-pkg-resources,
python3-rjsmin,
samba-dev,
Package: freeipa-common
Architecture: all
@@ -81,9 +69,9 @@ Package: freeipa-client
Architecture: any
Depends:
bind9-utils,
certmonger (>= 0.79.5-2),
certmonger (>= 0.79.14),
curl,
dnsutils,
bind9-dnsutils,
freeipa-common (= ${source:Version}),
krb5-user,
libnss3-tools,
@@ -91,20 +79,21 @@ Depends:
libpam-sss,
libsasl2-modules-gssapi-mit,
libsss-sudo,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
oddjob-mkhomedir,
python3-dnspython,
python3-ipaclient (= ${source:Version}),
python3-gssapi,
python3-ldap,
python3-sss,
sssd (>= 1.14.0),
sssd (>= 2.8.0),
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
chrony,
sssd-passkey,
Suggests:
libnss-myhostname,
libpam-krb5,
Description: FreeIPA centralized identity framework -- client
FreeIPA is an integrated solution to provide centrally managed Identity
@@ -137,7 +126,6 @@ Architecture: any
Depends:
cifs-utils,
freeipa-client (= ${binary:Version}),
libwbclient-sssd,
python3-samba,
samba-common-bin,
smbclient,
@@ -181,21 +169,20 @@ Architecture: all
Section: python
Depends:
freeipa-common (= ${source:Version}),
gnupg,
gpg,
gpg-agent,
keyutils,
librpm8 | librpm9,
python3-cffi,
python3-cryptography,
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ifaddr,
python3-ldap,
python3-libipa-hbac,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nss (>= 0.16.0),
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-requests,
@@ -207,6 +194,7 @@ Depends:
${misc:Depends},
${python3:Depends},
${shlibs:Depends},
${lib:Depends},
Description: FreeIPA centralized identity framework -- shared Python3 modules
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -215,186 +203,3 @@ Description: FreeIPA centralized identity framework -- shared Python3 modules
.
This Python3 module is used by other FreeIPA packages.
Package: freeipa-server
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Breaks: freeipa-server-trust-ad (<< 4.3.0-1)
Replaces: freeipa-server-trust-ad (<< 4.3.0-1)
Depends:
389-ds-base (>= 1.3.7.9),
acl,
adduser,
apache2 (>= 2.4.41-4ubuntu2),
certmonger (>= 0.79.5-2),
chrony,
custodia (>= 0.5.0),
fonts-font-awesome,
fonts-open-sans,
freeipa-client (= ${binary:Version}),
freeipa-common (= ${source:Version}),
gssproxy (>= 0.8.2-2),
krb5-admin-server,
krb5-kdc,
krb5-kdc-ldap,
krb5-otp,
krb5-pkinit,
ldap-utils,
libapache2-mod-auth-gssapi (>= 1.5.0),
libapache2-mod-lookup-identity (>= 1.0.0),
libapache2-mod-wsgi-py3,
libjs-dojo-core,
libjs-jquery,
libjs-scriptaculous,
libnss3-tools,
libsasl2-modules-gssapi-mit,
oddjob (>= 0.34.3-2),
p11-kit,
pki-ca (>= 10.6.0~),
pki-kra (>= 10.6.0~),
python3-dateutil,
python3-ipaserver (= ${source:Version}),
python3-gssapi,
python3-ldap (>= 2.4.22),
python3-systemd,
slapi-nis (>= 0.56.1),
ssl-cert,
sssd-dbus,
systemd-sysv,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
freeipa-server-dns,
Description: FreeIPA centralized identity framework -- server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This is the server package.
Package: freeipa-server-dns
Architecture: all
Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.16),
bind9-dyndb-ldap (>= 11.4),
libengine-pkcs11-openssl,
opendnssec (>= 1:2.1.5),
softhsm2,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- IPA DNS integration
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package adds DNS integration with BIND 9.
Package: freeipa-server-trust-ad
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Depends:
freeipa-common (= ${source:Version}),
freeipa-server (= ${binary:Version}),
python3-ipaserver (= ${source:Version}),
python3-samba,
samba,
winbind,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Multi-Arch: same
Description: FreeIPA centralized identity framework -- AD trust installer
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
Package: freeipa-tests
Architecture: all
Depends:
python3-ipalib (>= ${source:Version}),
python3-ipatests (>= ${source:Version}),
python3-pytest,
${misc:Depends},
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package contains tests that verify IPA functionality.
Package: python3-ipaserver
Architecture: all
Section: python
Breaks: freeipa-server (<< 4.3.0-1),
freeipa-server-trust-ad (<< 4.4.4-1),
Replaces: freeipa-server (<< 4.3.0-1),
freeipa-server-trust-ad (<< 4.4.4-1),
Depends:
freeipa-common (= ${binary:Version}),
pki-tools (>= 10.2.6-3),
python3-custodia (>= 0.5.0),
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ipaclient (= ${binary:Version}),
python3-ipalib (>= ${source:Version}),
python3-jwcrypto,
python3-kdcproxy,
python3-ldap (>= 2.4.22),
python3-libsss-nss-idmap,
python3-pki-base,
python3-pyasn1,
python3-sss,
samba-common,
zip,
${misc:Depends},
${python3:Depends},
Description: FreeIPA centralized identity framework -- Python3 modules for server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python3 module is used by FreeIPA server.
Package: python3-ipatests
Architecture: all
Section: python
Breaks: freeipa-tests (<< 4.3.0-1)
Replaces: freeipa-tests (<< 4.3.0-1)
Depends:
libnss3-tools,
python3-coverage,
python3-ipalib (>= ${source:Version}),
python3-mock,
python3-paramiko,
python3-paste,
python3-polib,
python3-pytest-multihost,
python3-pytest-sourceorder,
python3-sss,
xz-utils,
${misc:Depends},
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- Python3 modules for tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python3 module is used by FreeIPA tests.

16
debian/control.common vendored
View File

@@ -16,9 +16,9 @@ Package: freeipa-client
Architecture: any
Depends:
bind9-utils,
certmonger (>= 0.79.5-2),
certmonger (>= 0.79.14),
curl,
dnsutils,
bind9-dnsutils,
freeipa-common (= ${source:Version}),
krb5-user,
libnss3-tools,
@@ -26,20 +26,21 @@ Depends:
libpam-sss,
libsasl2-modules-gssapi-mit,
libsss-sudo,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
oddjob-mkhomedir,
python3-dnspython,
python3-ipaclient (= ${source:Version}),
python3-gssapi,
python3-ldap,
python3-sss,
sssd (>= 1.14.0),
sssd (>= 2.8.0),
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
chrony,
sssd-passkey,
Suggests:
libnss-myhostname,
libpam-krb5,
Description: FreeIPA centralized identity framework -- client
FreeIPA is an integrated solution to provide centrally managed Identity
@@ -72,7 +73,6 @@ Architecture: any
Depends:
cifs-utils,
freeipa-client (= ${binary:Version}),
libwbclient-sssd,
python3-samba,
samba-common-bin,
smbclient,
@@ -116,21 +116,20 @@ Architecture: all
Section: python
Depends:
freeipa-common (= ${source:Version}),
gnupg,
gpg,
gpg-agent,
keyutils,
librpm8 | librpm9,
python3-cffi,
python3-cryptography,
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ifaddr,
python3-ldap,
python3-libipa-hbac,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nss (>= 0.16.0),
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-requests,
@@ -142,6 +141,7 @@ Depends:
${misc:Depends},
${python3:Depends},
${shlibs:Depends},
${lib:Depends},
Description: FreeIPA centralized identity framework -- shared Python3 modules
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy

16
debian/control.server vendored
View File

@@ -4,20 +4,19 @@ Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Breaks: freeipa-server-trust-ad (<< 4.3.0-1)
Replaces: freeipa-server-trust-ad (<< 4.3.0-1)
Depends:
389-ds-base (>= 1.3.7.9),
389-ds-base (>= 1.4.4.16),
acl,
adduser,
apache2 (>= 2.4.41-4ubuntu2),
certmonger (>= 0.79.5-2),
certmonger (>= 0.79.14),
chrony,
custodia (>= 0.5.0),
fonts-font-awesome,
fonts-open-sans,
freeipa-client (= ${binary:Version}),
freeipa-common (= ${source:Version}),
gssproxy (>= 0.8.2-2),
krb5-admin-server,
krb5-kdc,
krb5-kdc (>= 1.18),
krb5-kdc-ldap,
krb5-otp,
krb5-pkinit,
@@ -32,8 +31,8 @@ Depends:
libsasl2-modules-gssapi-mit,
oddjob (>= 0.34.3-2),
p11-kit,
pki-ca (>= 10.6.0~),
pki-kra (>= 10.6.0~),
pki-ca (>= 10.10.6~),
pki-kra (>= 10.10.6~),
python3-dateutil,
python3-ipaserver (= ${source:Version}),
python3-gssapi,
@@ -62,7 +61,7 @@ Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.16),
bind9 (>= 1:9.18.7),
bind9-dyndb-ldap (>= 11.4),
libengine-pkcs11-openssl,
opendnssec (>= 1:2.1.5),
@@ -128,7 +127,6 @@ Replaces: freeipa-server (<< 4.3.0-1),
Depends:
freeipa-common (= ${binary:Version}),
pki-tools (>= 10.2.6-3),
python3-custodia (>= 0.5.0),
python3-dbus,
python3-dnspython,
python3-gssapi,
@@ -160,11 +158,9 @@ Breaks: freeipa-tests (<< 4.3.0-1)
Replaces: freeipa-tests (<< 4.3.0-1)
Depends:
libnss3-tools,
python3-coverage,
python3-ipalib (>= ${source:Version}),
python3-mock,
python3-paramiko,
python3-paste,
python3-polib,
python3-pytest-multihost,
python3-pytest-sourceorder,

5
debian/control.server-bdeps vendored
View File

@@ -1,4 +1,5 @@
389-ds-base-dev (>= 1.3.7.9),
389-ds-base-dev (>= 1.4.4.16),
libpwquality-dev,
libsss-idmap-dev,
libsss-certmap-dev,
libsss-nss-idmap-dev (>= 1.14.0),
@@ -6,7 +7,7 @@
libunistring-dev,
libverto-dev,
nodejs [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x],
pki-base (>= 10.6.0~),
pki-base (>= 10.10.6~),
python3-lesscpy,
python3-pkg-resources,
python3-rjsmin,

13
debian/control.stub vendored
View File

@@ -9,21 +9,23 @@ Vcs-Browser: https://salsa.debian.org/freeipa-team/freeipa
Homepage: http://www.freeipa.org
Build-Depends:
check,
debhelper-compat (= 12),
debhelper-compat (= 13),
dh-python,
gettext,
krb5-user,
libcmocka-dev,
libcurl4-openssl-dev,
libini-config-dev,
libjansson-dev,
libkrad-dev,
libkrb5-dev (>= 1.16),
libkrb5-dev (>= 1.18),
libldap2-dev,
libnspr4-dev,
libpopt-dev,
librpm-dev,
libsasl2-dev,
libssl-dev,
libtalloc-dev,
libxmlrpc-core-c3-dev (>= 1.33.06),
python3-all-dev,
python3-cryptography,
python3-dbus,
@@ -38,15 +40,14 @@ Build-Depends:
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nose,
python3-nss (>= 0.16.0),
python3-polib,
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-setuptools,
python3-six,
python3-sphinx,
python3-sss (>= 1.14.0),
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
systemd-dev,
uuid-dev,

13
debian/copyright vendored
View File

@@ -6,6 +6,11 @@ Files: *
Copyright: 1999-2011 Red Hat, Inc.
License: GPL-3+
Files: debian/*
Copyright: Michele Baldessari michele@pupazzo.org>
Timo Aaltonen <tjaalton@ubuntu.com>
License: GPL-2+
Files: daemons/ipa-slapi-plugins/*/*.c
daemons/ipa-slapi-plugins/*/*.h
Copyright: 2005-2010 Red Hat, Inc.
@@ -81,9 +86,8 @@ Copyright: 2012-2013, Dave Gandy <drgandy@alum.mit.edu>
License: MIT
Files: install/ui/util/build/build.js
install/ui/util/build/_base/configRhino.js
install/ui/build/dojo/dojo.js
debian/missing-sources/dojo
debian/missing-sources/dojo/*
Copyright: 2004-2012, The Dojo Foundation
License: BSD-3-clause or AFL-2.1
@@ -92,11 +96,6 @@ Copyright: 2009, John Resig, Jörn Zaefferer
2008, Ariel Flesler
License: MIT or GPL-2 or BSD-2-clause
Files: debian/*
Copyright: Michele Baldessari michele@pupazzo.org>
Timo Aaltonen <tjaalton@ubuntu.com>
License: GPL-2+
License: GPL-2
On Debian machines the full text of the GNU General Public License
version 2 can be found in the file /usr/share/common-licenses/GPL-2.

4
debian/freeipa-client-epn.install vendored
View File

@@ -1,7 +1,7 @@
etc/ipa/epn.conf
etc/ipa/epn/expire_msg.template
lib/systemd/system/ipa-epn.service
lib/systemd/system/ipa-epn.timer
${env:systemdsystemunitdir}/ipa-epn.service
${env:systemdsystemunitdir}/ipa-epn.timer
usr/sbin/ipa-epn
usr/share/man/man1/ipa-epn.1
usr/share/man/man5/epn.conf.5

1
debian/freeipa-client.install vendored
View File

@@ -1,5 +1,6 @@
etc/default/certmonger
usr/bin/ipa
usr/lib/ipa/acme/certbot-dns-ipa
usr/sbin/ipa-certupdate
usr/sbin/ipa-client-automount
usr/sbin/ipa-client-install

2
debian/freeipa-client.lintian-overrides vendored
View File

@@ -1,3 +1 @@
# lintian is lying
python-script-but-no-python-dep
possible-bashism-in-maintainer-script

8
debian/freeipa-client.postinst vendored
View File

@@ -1,8 +0,0 @@
#!/bin/sh
set -e
if [ ! -e /run/ipa ]; then
mkdir -m 0700 /run/ipa
fi
#DEBHELPER#

0
debian/freeipa-client.tmpfile → debian/freeipa-client.tmpfiles vendored
View File

3
debian/freeipa-server-dns.lintian-overrides vendored
View File

@@ -1,3 +0,0 @@
# lintian is lying
python-script-but-no-python-dep

4
debian/freeipa-server-trust-ad.lintian-overrides vendored
View File

@@ -1,2 +1,2 @@
# lintian is lying
python-script-but-no-python-dep
# plugin
custom-library-search-path

22
debian/freeipa-server.install vendored
View File

@@ -4,17 +4,20 @@ etc/ipa/html/*
etc/ipa/kdcproxy
etc/dbus-1/system.d/org.freeipa.server.conf
etc/oddjobd.conf.d/ipa-server.conf
lib/systemd/system/ipa-custodia.service
lib/systemd/system/ipa-dnskeysyncd.service
lib/systemd/system/ipa-ods-exporter.service
lib/systemd/system/ipa-ods-exporter.socket
lib/systemd/system/ipa-otpd.socket
lib/systemd/system/ipa-otpd@.service
lib/systemd/system/ipa.service
${env:systemdsystemunitdir}/ipa-ccache-sweep.service
${env:systemdsystemunitdir}/ipa-ccache-sweep.timer
${env:systemdsystemunitdir}/ipa-custodia.service
${env:systemdsystemunitdir}/ipa-dnskeysyncd.service
${env:systemdsystemunitdir}/ipa-ods-exporter.service
${env:systemdsystemunitdir}/ipa-ods-exporter.socket
${env:systemdsystemunitdir}/ipa-otpd.socket
${env:systemdsystemunitdir}/ipa-otpd@.service
${env:systemdsystemunitdir}/ipa.service
usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
usr/lib/*/dirsrv/plugins/libipa_extdom_extop.so
usr/lib/*/dirsrv/plugins/libipa_graceperiod.so
usr/lib/*/dirsrv/plugins/libipa_lockout.so
usr/lib/*/dirsrv/plugins/libipa_modrdn.so
usr/lib/*/dirsrv/plugins/libipa_otp_counter.so
@@ -35,6 +38,7 @@ usr/lib/ipa/custodia/ipa-custodia-dmldap
usr/lib/ipa/custodia/ipa-custodia-pki-tomcat
usr/lib/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
usr/lib/ipa/custodia/ipa-custodia-ra-agent
usr/lib/ipa/ipa-ccache-sweeper
usr/lib/ipa/ipa-custodia
usr/lib/ipa/ipa-custodia-check
usr/lib/ipa/ipa-dnskeysync-replica
@@ -46,9 +50,12 @@ usr/lib/ipa/ipa-otpd
usr/lib/ipa/ipa-pki-retrieve-key
usr/lib/ipa/ipa-pki-wait-running
usr/lib/ipa/ipa-print-pac
usr/lib/ipa/ipa-subids
usr/lib/ipa/oddjob/org.freeipa.server.config-enable-sid
usr/lib/ipa/oddjob/org.freeipa.server.conncheck
usr/lib/ipa/oddjob/org.freeipa.server.trust-enable-agent
usr/lib/tmpfiles.d/ipa.conf
usr/sbin/ipa-acme-manage
usr/sbin/ipa-advise
usr/sbin/ipa-backup
usr/sbin/ipa-ca-install
@@ -90,6 +97,7 @@ usr/share/ipa/ui/*
usr/share/ipa/updates/*
usr/share/ipa/wsgi.py
usr/share/ipa/wsgi/*
usr/share/man/man1/ipa-acme-manage.1*
usr/share/man/man1/ipa-advise.1*
usr/share/man/man1/ipa-backup.1*
usr/share/man/man1/ipa-ca-install.1*

2
debian/freeipa-server.lintian-overrides vendored
View File

@@ -1,5 +1,3 @@
# lintian is lying
python-script-but-no-python-dep
# we really need apache2
web-application-should-not-depend-unconditionally-on-apache2
# embedded versions used for better performance and function

33
debian/freeipa-server.postinst vendored
View File

@@ -17,25 +17,6 @@ if [ "$1" = configure ]; then
ipaapi > $OUT
fi
# fix upgrade
if dpkg --compare-versions "$2" lt "4.7.0~pre2-1"; then
# mod_nss needs to be disabled before mod_ssl is enabled
if [ -e /etc/apache2/mods-enabled/nss.load ]; then
. /usr/share/apache2/apache2-maintscript-helper
apache2_invoke dismod nss || exit $?
# and if that's not enough, just remove the links to be sure
rm /etc/apache2/mods-enabled/nss.load /etc/apache2/mods-enabled/nss.conf
fi
# this is new in tmpfiles.d/ipa.conf, need to create it here
# for the upgrader
if [ ! -e /var/run/ipa/ccaches ]; then
mkdir /var/run/ipa/ccaches
chown ipaapi:ipaapi /var/run/ipa/ccaches
chmod 770 /var/run/ipa/ccaches
fi
fi
chmod 711 /var/lib/ipa/sysrestore > $OUT || true
chmod 700 /var/lib/ipa/passwds > $OUT || true
chmod 700 /var/lib/ipa/private > $OUT || true
@@ -94,18 +75,4 @@ if [ "$1" = configure ]; then
fi
fi
if [ ! -e /run/apache2/ipa ]; then
mkdir -m 0700 /run/apache2/ipa
chown www-data:www-data /run/apache2/ipa
if [ ! -e /run/apache2/ipa/clientcaches ]; then
mkdir -m 0700 /run/apache2/ipa/clientcaches
chown www-data:www-data /run/apache2/ipa/clientcaches
fi
if [ ! -e /run/apache2/ipa/krbcache ]; then
mkdir -m 0700 /run/apache2/ipa/krbcache
chown www-data:www-data /run/apache2/ipa/krbcache
fi
fi
#DEBHELPER#

2
debian/freeipa-tests.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# lintian is just wrong
freeipa-tests: python-script-but-no-python-dep

3
debian/gitlab-ci.yml vendored
View File

@@ -2,8 +2,5 @@ include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
blhc:
allow_failure: true
piuparts:
allow_failure: true

60
debian/patches/Make-name-of-nobody-group-configurable-and-use-nogro.patch vendored Normal file
View File

@@ -0,0 +1,60 @@
From 8a9c5629214cd71e88a5ac9c1b639faad9fc4ec1 Mon Sep 17 00:00:00 2001
From: Frederik Himpe <frederik@frehi.be>
Date: Tue, 25 Feb 2025 13:49:23 +0100
Subject: [PATCH] Make name of nobody group configurable and use nogroup on
Debian
Fixes: https://pagure.io/freeipa/issue/9753
Signed-off-by: Frederik Himpe <frederik@frehi.be>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaplatform/base/constants.py | 1 +
ipaplatform/debian/constants.py | 1 +
ipaserver/install/adtrustinstance.py | 6 ++++--
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index f1ef7efff..4c8038a84 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -124,6 +124,7 @@ class BaseConstantsNamespace:
NAMED_OPTIONS_VAR = "OPTIONS"
NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
+ NOBODY_GROUP = Group("nobody")
PKI_USER = User("pkiuser")
PKI_GROUP = Group("pkiuser")
# ntpd init variable used for daemon options
diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py
index 7216694ad..f8ee8cf9f 100644
--- a/ipaplatform/debian/constants.py
+++ b/ipaplatform/debian/constants.py
@@ -29,5 +29,6 @@ class DebianConstantsNamespace(BaseConstantsNamespace):
ODS_USER = User("opendnssec")
ODS_GROUP = Group("opendnssec")
SECURE_NFS_VAR = "NEED_GSSD"
+ NOBODY_GROUP = Group("nogroup")
constants = DebianConstantsNamespace()
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index fd5a5a282..df2586ef1 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -123,9 +123,11 @@ def make_netbios_name(s):
def map_Guests_to_nobody():
env = {'LC_ALL': 'C'}
args = [paths.NET, '-s', '/dev/null', 'groupmap', 'add',
- 'sid=S-1-5-32-546', 'unixgroup=nobody', 'type=builtin']
+ 'sid=S-1-5-32-546',
+ 'unixgroup="' + constants.NOBODY_GROUP + '"', 'type=builtin']
- logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
+ logger.debug("Map BUILTIN\\Guests to a group '%s'",
+ constants.NOBODY_GROUP)
ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
--
2.48.1

54
debian/patches/Make-path-of-Samba-lock-directory-configurable-and-u.patch vendored Normal file
View File

@@ -0,0 +1,54 @@
From 1e47185289fbbe29eedca82a4872d1d075b26c26 Mon Sep 17 00:00:00 2001
From: Frederik Himpe <frederik@frehi.be>
Date: Thu, 27 Feb 2025 11:28:30 +0100
Subject: [PATCH] Make path of Samba lock directory configurable and use
/run/samba on Debian
Signed-off-by: Frederik Himpe <frederik@frehi.be>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaplatform/base/paths.py | 1 +
ipaplatform/debian/paths.py | 1 +
ipaserver/install/adtrustinstance.py | 2 +-
3 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 6a62d7bd0..f794aae6d 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -350,6 +350,7 @@ class BasePathNamespace:
KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
KRACERT_P12 = "/root/kracert.p12"
SAMBA_DIR = "/var/lib/samba"
+ SAMBA_LOCKDIR = "/var/lib/samba/lock"
SSSD_DB = "/var/lib/sss/db"
SSSD_MC_GROUP = "/var/lib/sss/mc/group"
SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 7a8099680..229f185f0 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -44,6 +44,7 @@ class DebianPathNamespace(BasePathNamespace):
OPENSSL_DIR = "/usr/lib/ssl"
OPENSSL_CERTS_DIR = "/usr/lib/ssl/certs"
OPENSSL_PRIVATE_DIR = "/usr/lib/ssl/private"
+ SAMBA_LOCKDIR = "/run/samba"
ETC_DEBIAN_VERSION = "/etc/debian_version"
# Old versions of freeipa wrote all trusted certificates to a single
# file, which is not supported by ca-certificates.
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index df2586ef1..bc3a282e6 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -962,7 +962,7 @@ class ADTRUSTInstance(service.Service):
# in /var/lib/samba and /var/lib/samba/private
for smbpath in (paths.SAMBA_DIR,
os.path.join(paths.SAMBA_DIR, "private"),
- os.path.join(paths.SAMBA_DIR, "lock")):
+ paths.SAMBA_LOCKDIR):
if os.path.isdir(smbpath):
tdb_files = [
os.path.join(smbpath, tdb_file)
--
2.48.1

12
debian/patches/fix-chrony-service-name.diff vendored
View File

@@ -1,12 +0,0 @@
diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 812bbdaf2..9750fdeaa 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -20,6 +20,7 @@ debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
+debian_system_units['chronyd'] = 'chrony.service'
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'

10
debian/patches/map-ssh-service.diff vendored Normal file
View File

@@ -0,0 +1,10 @@
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -37,6 +37,7 @@ debian_system_units['ods_signerd'] = deb
debian_system_units['rpcgssd'] = 'rpc-gssd.service'
debian_system_units['rpcidmapd'] = 'nfs-idmapd.service'
debian_system_units['smb'] = 'smbd.service'
+debian_system_units['sshd'] = 'ssh.service'
# Service classes that implement Debian family-specific behaviour

11
debian/patches/migrate-to-gpg.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -176,7 +176,7 @@ class BasePathNamespace:
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
- GPG2 = "/usr/bin/gpg2"
+ GPG2 = "/usr/bin/gpg"
GPG_CONF = "/usr/bin/gpgconf"
GPG_CONNECT_AGENT = "/usr/bin/gpg-connect-agent"
GPG_AGENT = "/usr/bin/gpg-agent"

796
debian/patches/pkcs11-openssl-for-bind.diff vendored
View File

@@ -1,796 +0,0 @@
--- a/daemons/dnssec/ipa-dnskeysync-replica.in
+++ b/daemons/dnssec/ipa-dnskeysync-replica.in
@@ -145,7 +145,7 @@ def ldap2replica_zone_keys_sync(ldapkeyd
# IPA framework initialization
-standard_logging_setup(verbose=True, debug=True)
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/daemons/dnssec/ipa-dnskeysyncd.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.in
@@ -23,12 +23,9 @@ logger = logging.getLogger(os.path.basen
# IPA framework initialization
-standard_logging_setup(verbose=True)
+standard_logging_setup(debug=True)
api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
api.finalize()
-if api.env.debug:
- root_logger = logging.getLogger()
- root_logger.setLevel(logging.DEBUG)
# Global state
watcher_running = True
--- a/daemons/dnssec/ipa-ods-exporter.in
+++ b/daemons/dnssec/ipa-ods-exporter.in
@@ -29,12 +29,12 @@ import dns.dnssec
from gssapi.exceptions import GSSError
import six
import systemd.daemon
-import systemd.journal
import ipalib
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
+from ipapython.ipa_log_manager import standard_logging_setup
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -650,20 +650,8 @@ def cleanup_ldap_zone(ldap, dns_dn, zone
ldap.delete_entry(ldap_key)
-# this service is usually socket-activated
-root_logger = logging.getLogger()
-root_logger.addHandler(systemd.journal.JournalHandler())
-root_logger.setLevel(level=logging.DEBUG)
-
-if len(sys.argv) > 2:
- print(__doc__)
- sys.exit(1)
-# program was likely invoked from console, log to it
-elif len(sys.argv) == 2:
- console = logging.StreamHandler()
- root_logger.addHandler(console)
-
# IPA framework initialization
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -99,6 +99,15 @@
%global httpd_version 2.4.41-6.1
%endif
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+%if 0%{?fedora} >= 31
+ %global with_bind_pkcs11 0
+ %global openssl_pkcs11_version 0.4.10-6
+ %global softhsm_version 2.5.0-4
+%else
+ %global with_bind_pkcs11 1
+%endif
+
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -463,8 +472,13 @@ Requires: %{name}-server = %{version}-%{
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
+%if 0%{?with_bind_pkcs11}
Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
%if 0%{?fedora} >= 32
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
Requires: opendnssec >= 2.1.6-5
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,8 @@ dist_app_DATA = \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.named.conf.template \
+ bind.openssl.cnf.template \
+ bind.openssl.cryptopolicy.cnf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
--- /dev/null
+++ b/install/share/bind.openssl.cnf.template
@@ -0,0 +1,14 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- /dev/null
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_configuration
+engines = engine_section
+
+[ssl_configuration]
+system_default = crypto_policy
+
+[crypto_policy]
+.include $CRYPTO_POLICY_FILE
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -23,6 +23,8 @@ class BaseConstantsNamespace:
NAMED_USER = "named"
NAMED_GROUP = "named"
NAMED_DATA_DIR = "data/"
+ NAMED_OPTIONS_VAR = "OPTIONS"
+ NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -26,6 +26,7 @@ import os
class BasePathNamespace:
BIN_HOSTNAMECTL = "/bin/hostnamectl"
+ CRYPTO_POLICY_OPENSSLCNF_FILE = None
ECHO = "/bin/echo"
FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
GZIP = "/bin/gzip"
@@ -69,6 +70,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ DNSSEC_OPENSSL_CONF = None
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
@@ -253,8 +255,6 @@ class BasePathNamespace:
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
- NAMED = "/usr/sbin/named"
- NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
CHRONYC = "/usr/bin/chronyc"
CHRONYD = "/usr/sbin/chronyd"
PKIDESTROY = "/usr/sbin/pkidestroy"
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -27,4 +27,6 @@ class FedoraConstantsNamespace(RedHatCon
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
+ NAMED_OPENSSL_ENGINE = "pkcs11"
+
constants = FedoraConstantsNamespace()
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,8 @@ class FedoraPathNamespace(RedHatPathName
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -29,6 +29,8 @@ from ipaplatform.redhat import services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
+fedora_system_units['named'] = fedora_system_units['named-regular']
+fedora_system_units['named-conflict'] = fedora_system_units['named-pkcs11']
# Service classes that implement Fedora-specific behaviour
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedH
# of specified name
def fedora_service_class_factory(name, api=None):
+ if name in ['named', 'named-conflict']:
+ return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BaseP
class RedHatPathNamespace(BasePathNamespace):
+ CRYPTO_POLICY_OPENSSLCNF_FILE = (
+ '/etc/crypto-policies/back-ends/opensslcnf.config'
+ )
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] =
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
+redhat_system_units['named-conflict'] = redhat_system_units['named-regular']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -16,11 +16,14 @@ import stat
import six
import ipalib.constants
+
from ipapython.dn import DN
from ipapython import ipautil
+from ipaplatform.constants import constants as platformconstants
from ipaplatform.paths import paths
from ipaserver.dnssec.temp import TemporaryDirectory
+from ipaserver.install import installutils
logger = logging.getLogger(__name__)
@@ -133,8 +136,11 @@ class BINDMgr:
cmd.extend(['-f', 'KSK'])
if attrs.get('idnsSecKeyRevoke', [b'FALSE'])[0].upper() == b'TRUE':
cmd.extend(['-R', datetime.now().strftime(time_bindfmt)])
+ if platformconstants.NAMED_OPENSSL_ENGINE is not None:
+ cmd.extend(['-E', platformconstants.NAMED_OPENSSL_ENGINE])
cmd.append(zone.to_text())
+ installutils.check_entropy()
# keys has to be readable by ODS & named
result = ipautil.run(cmd, capture_output=True)
basename = result.output.strip()
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -663,7 +663,7 @@ class BindInstance(service.Service):
self.no_dnssec_validation = False
self.sub_dict = None
self.reverse_zones = ()
- self.named_regular = services.service('named-regular', api)
+ self.named_conflict = services.service('named-conflict', api)
suffix = ipautil.dn_attribute_property('_suffix')
@@ -770,7 +770,7 @@ class BindInstance(service.Service):
# named has to be started after softhsm initialization
# self.step("restarting named", self.__start)
- self.step("configuring named to start on boot", self.__enable)
+ self.step("configuring named to start on boot", self.switch_service)
self.step(
"changing resolv.conf to point to ourselves",
self.setup_resolv_conf
@@ -783,19 +783,16 @@ class BindInstance(service.Service):
def __start(self):
try:
- if self.get_state("running") is None:
- # first time store status
- self.backup_state("running", self.is_running())
self.restart()
except Exception as e:
logger.error("Named service failed to start (%s)", e)
print("named service failed to start")
+ def switch_service(self):
+ self.mask_conflict()
+ self.__enable()
+
def __enable(self):
- if self.get_state("enabled") is None:
- self.backup_state("enabled", self.is_running())
- self.backup_state("named-regular-enabled",
- self.named_regular.is_running())
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
@@ -806,20 +803,19 @@ class BindInstance(service.Service):
# don't crash, just report error
logger.error("DNS service already exists")
- # disable named, we need to run named-pkcs11 only
- if self.get_state("named-regular-running") is None:
- # first time store status
- self.backup_state("named-regular-running",
- self.named_regular.is_running())
+ def mask_conflict(self):
+ # disable named-conflict (either named or named-pkcs11)
try:
- self.named_regular.stop()
+ self.named_conflict.stop()
except Exception as e:
- logger.debug("Unable to stop named (%s)", e)
+ logger.debug("Unable to stop %s (%s)",
+ self.named_conflict.systemd_name, e)
try:
- self.named_regular.mask()
+ self.named_conflict.mask()
except Exception as e:
- logger.debug("Unable to mask named (%s)", e)
+ logger.debug("Unable to mask %s (%s)",
+ self.named_conflict.systemd_name, e)
def _get_dnssec_validation(self):
"""get dnssec-validation value
@@ -1318,11 +1314,6 @@ class BindInstance(service.Service):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
- running = self.restore_state("running")
- enabled = self.restore_state("enabled")
- named_regular_running = self.restore_state("named-regular-running")
- named_regular_enabled = self.restore_state("named-regular-enabled")
-
self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected())
try:
@@ -1337,23 +1328,10 @@ class BindInstance(service.Service):
ipautil.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)
- # disabled by default, by ldap_configure()
- if enabled:
- self.enable()
- else:
- self.disable()
-
- if running:
- self.restart()
- else:
- self.stop()
-
- self.named_regular.unmask()
- if named_regular_enabled:
- self.named_regular.enable()
+ self.disable()
+ self.stop()
- if named_regular_running:
- self.named_regular.start()
+ self.named_conflict.unmask()
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -4,11 +4,12 @@
from __future__ import print_function, absolute_import
-import logging
import errno
+import grp
+import logging
import os
import pwd
-import grp
+import re
import shutil
import stat
@@ -56,10 +57,10 @@ class DNSKeySyncInstance(service.Service
keytab=paths.IPA_DNSKEYSYNCD_KEYTAB
)
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
- self.named_uid = None
- self.named_gid = None
- self.ods_uid = None
- self.ods_gid = None
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+ self.ods_uid = self.__get_ods_uid()
+ self.ods_gid = self.__get_ods_gid()
suffix = ipautil.dn_attribute_property('_suffix')
@@ -67,12 +68,6 @@ class DNSKeySyncInstance(service.Service
"""
Setting up correct permissions to allow write/read access for daemons
"""
- if self.named_uid is None:
- self.named_uid = self.__get_named_uid()
-
- if self.named_gid is None:
- self.named_gid = self.__get_named_gid()
-
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
# dnssec daemons require to have access into the directory
@@ -133,20 +128,19 @@ class DNSKeySyncInstance(service.Service
except KeyError:
raise RuntimeError("Named GID not found")
- def __check_dnssec_status(self):
- self.named_uid = self.__get_named_uid()
- self.named_gid = self.__get_named_gid()
-
+ def __get_ods_uid(self):
try:
- self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
+ return pwd.getpwnam(constants.ODS_USER).pw_uid
except KeyError:
raise RuntimeError("OpenDNSSEC UID not found")
+ def __get_ods_gid(self):
try:
- self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
+ return grp.getgrnam(constants.ODS_GROUP).gr_gid
except KeyError:
raise RuntimeError("OpenDNSSEC GID not found")
+ def __check_dnssec_status(self):
if not dns_container_exists(self.suffix):
raise RuntimeError("DNS container does not exist")
@@ -164,10 +158,94 @@ class DNSKeySyncInstance(service.Service
self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, })
- def __setup_softhsm(self):
- assert self.ods_uid is not None
- assert self.named_gid is not None
+ def _are_named_options_configured(self, options):
+ """Check whether the sysconfig of named is patched
+ Additional command line options for named are passed
+ via OPTIONS env variable. Since custom options can be
+ supplied by a vendor, at least, the base parsing of such
+ is required.
+ Current named command line options:
+ NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:M:m:n:N:p:P:sS:t:T:U:u:vVx:X:"
+ If there are several same options the last passed wins.
+ """
+ if options:
+ pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)"
+ engines = re.findall(pattern, options)
+ if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE:
+ return True
+
+ return False
+
+ def setup_named_openssl_conf(self):
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ logger.debug("Setup OpenSSL config for BIND")
+ # setup OpenSSL config for BIND,
+ # this one is needed because FreeIPA installation
+ # disables p11-kit-proxy PKCS11 module
+ conf_file_dict = {
+ 'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
+ 'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
+ 'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
+ }
+ if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
+ opensslcnf_tmpl = "bind.openssl.cnf.template"
+ else:
+ opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
+
+ named_openssl_txt = ipautil.template_file(
+ os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
+ conf_file_dict
+ )
+ with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o640)
+ os.fchown(f.fileno(), 0, self.named_gid)
+ f.write(named_openssl_txt)
+
+ def setup_named_sysconfig(self):
+ logger.debug("Setup BIND sysconfig")
+ sysconfig = paths.SYSCONFIG_NAMED
+ self.fstore.backup_file(sysconfig)
+
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ options = directivesetter.get_directive(
+ paths.SYSCONFIG_NAMED,
+ constants.NAMED_OPTIONS_VAR,
+ separator="="
+ ) or ''
+ if not self._are_named_options_configured(options):
+ engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE)
+ new_options = ' '.join([options, engine_cmd])
+ directivesetter.set_directive(
+ sysconfig,
+ constants.NAMED_OPTIONS_VAR, new_options,
+ quotes=True, separator='=')
+
+ def setup_ipa_dnskeysyncd_sysconfig(self):
+ logger.debug("Setup ipa-dnskeysyncd sysconfig")
+ sysconfig = paths.SYSCONFIG_IPA_DNSKEYSYNCD
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ def __setup_softhsm(self):
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
@@ -186,23 +264,15 @@ class DNSKeySyncInstance(service.Service
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
logger.debug("Creating new softhsm config file")
- named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(softhsm_conf_txt)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
-
- # setting up named to use softhsm2
- if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
- self.fstore.backup_file(paths.SYSCONFIG_NAMED)
-
- # setting up named and ipa-dnskeysyncd to use our softhsm2 config
- for sysconfig in [paths.SYSCONFIG_NAMED,
- paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
- directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF',
- paths.DNSSEC_SOFTHSM2_CONF,
- quotes=False, separator='=')
+ with open(paths.DNSSEC_SOFTHSM2_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o644)
+ f.write(softhsm_conf_txt)
+
+ # setting up named and ipa-dnskeysyncd to use our softhsm2 and
+ # openssl configs
+ self.setup_named_openssl_conf()
+ self.setup_named_sysconfig()
+ self.setup_ipa_dnskeysyncd_sysconfig()
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
@@ -231,23 +301,17 @@ class DNSKeySyncInstance(service.Service
entropy_bits=0, special=None, min_len=pin_length)
logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770)
- # chown to ods:named
- os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
+ with open(paths.DNSSEC_SOFTHSM_PIN, 'w') as f:
+ # chown to ods:named
+ os.fchown(f.fileno(), self.ods_uid, self.named_gid)
+ os.fchmod(f.fileno(), 0o660)
+ f.write(pin)
logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin_so)
- named_fd.close()
- # owner must be root
- os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400)
+ with open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') as f:
+ # owner must be root
+ os.fchmod(f.fileno(), 0o400)
+ f.write(pin_so)
# initialize SoftHSM
@@ -377,7 +441,7 @@ class DNSKeySyncInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid)
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
# chown to ods:named
os.chown(file_path, self.ods_uid, self.named_gid)
@@ -389,7 +453,6 @@ class DNSKeySyncInstance(service.Service
logger.error("DNSKeySync service already exists")
def __setup_principal(self):
- assert self.ods_gid is not None
ipautil.remove_keytab(self.keytab)
installutils.kadmin_addprinc(self.principal)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -185,6 +185,7 @@ class Backup(admintool.AdminTool):
paths.OPENDNSSEC_KASP_FILE,
paths.OPENDNSSEC_ZONELIST_FILE,
paths.OPENDNSSEC_KASP_DB,
+ paths.DNSSEC_OPENSSL_CONF,
paths.DNSSEC_SOFTHSM2_CONF,
paths.DNSSEC_SOFTHSM_PIN_SO,
paths.IPA_ODS_EXPORTER_KEYTAB,
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -106,9 +106,9 @@ def install(api, replica_config, options
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
- # Restarted named-pkcs11 to restore bind-dyndb-ldap operation, see
+ # Restarted named to restore bind-dyndb-ldap operation, see
# https://pagure.io/freeipa/issue/5813
- named = services.knownservices.named # alias for named-pkcs11
+ named = services.knownservices.named # alias for current named
if named.is_running():
named.restart(capture_output=True)
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -269,7 +269,7 @@ class OpenDNSSECInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid) # chown to ods:named
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
os.chown(file_path, self.ods_uid, self.named_gid) # chown to ods:named
finally:
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -509,6 +509,24 @@ def ca_initialize_hsm_state(ca):
ca.set_hsm_state(config)
+def dnssec_set_openssl_engine(dnskeysyncd):
+ """
+ Setup OpenSSL engine for BIND
+ """
+ if constants.NAMED_OPENSSL_ENGINE is None:
+ return False
+
+ if sysupgrade.get_upgrade_state('dns', 'openssl_engine'):
+ return False
+
+ logger.info('[Set OpenSSL engine for BIND]')
+ dnskeysyncd.setup_named_openssl_conf()
+ dnskeysyncd.setup_named_sysconfig()
+ dnskeysyncd.setup_ipa_dnskeysyncd_sysconfig()
+ sysupgrade.set_upgrade_state('dns', 'openssl_engine', True)
+
+ return True
+
def certificate_renewal_update(ca, kra, ds, http):
"""
@@ -1395,7 +1413,10 @@ def upgrade_bind(fstore):
logger.info("DNS service is not configured")
return False
- # get rid of old upgrade states
+ bind_switch_service(bind)
+
+ # get rid of old states
+ bind_old_states(bind)
bind_old_upgrade_states()
# only upgrade with drop-in is missing and /etc/resolv.conf is a link to
@@ -1428,6 +1449,38 @@ def upgrade_bind(fstore):
return changed
+def bind_switch_service(bind):
+ """
+ Mask either named or named-pkcs11, we need to run only one,
+ running both can cause unexpected errors.
+ """
+ named_conflict_name = bind.named_conflict.systemd_name
+ named_conflict_old = sysupgrade.get_upgrade_state('dns', 'conflict_named')
+
+ # nothing changed
+ if named_conflict_old and named_conflict_old == named_conflict_name:
+ return False
+
+ bind.switch_service()
+
+ sysupgrade.set_upgrade_state('dns', 'conflict_named', named_conflict_name)
+ return True
+
+
+def bind_old_states(bind):
+ """Remove old states
+ """
+ # no longer used states
+ old_states = [
+ "enabled",
+ "running",
+ "named-regular-enabled",
+ "named-regular-running",
+ ]
+ for state in old_states:
+ bind.delete_state(state)
+
+
def bind_old_upgrade_states():
"""Remove old upgrade states
"""
@@ -1673,6 +1726,9 @@ def upgrade_configuration():
if not dnskeysyncd.is_configured():
dnskeysyncd.create_instance(fqdn, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
+ else:
+ if dnssec_set_openssl_engine(dnskeysyncd):
+ dnskeysyncd.start_dnskeysyncd()
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -533,6 +533,9 @@ class Service:
def get_state(self, key):
return self.sstore.get_state(self.service_name, key)
+ def delete_state(self, key):
+ self.sstore.delete_state(self.service_name, key)
+
def print_msg(self, message):
print_msg(message, self.output_fd)
@@ -660,6 +663,7 @@ class Service:
]
extra_config_opts.extend(config)
+ self.unmask()
self.disable()
set_service_entry_config(
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -989,7 +989,7 @@ class TestIPACommand(IntegrationTest):
# get minimum version from current crypto-policy
openssl_cnf = self.master.get_file_contents(
- "/etc/crypto-policies/back-ends/opensslcnf.config",
+ paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
encoding="utf-8"
)
mo = re.search(r"MinProtocol\s*=\s*(TLSv[0-9.]+)", openssl_cnf)

11
debian/patches/series vendored
View File

@@ -1,11 +1,10 @@
# upstreamed
pkcs11-openssl-for-bind.diff
# not upstreamable
dnssec-race-wa.diff
fix-sssd-socket-activation.diff
# send upstream
migrate-to-gpg.diff
dnssec-race-wa.diff
use-bind9.16.diff
fix-sssd-socket-activation.diff
fix-chrony-service-name.diff
map-ssh-service.diff
Make-path-of-Samba-lock-directory-configurable-and-u.patch
Make-name-of-nobody-group-configurable-and-use-nogro.patch

24
debian/patches/use-bind9.16.diff vendored
View File

@@ -1,24 +0,0 @@
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -58,7 +58,7 @@ class DebianPathNamespace(BasePathNamesp
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
- SYSCONFIG_NAMED = "/etc/default/bind9"
+ SYSCONFIG_NAMED = "/etc/default/named"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -23,8 +23,8 @@ debian_system_units = redhat_services.re
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
-debian_system_units['named-regular'] = 'bind9.service'
-debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
+debian_system_units['named-regular'] = 'named.service'
+debian_system_units['named-pkcs11'] = 'named-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']

3
debian/python3-ipaclient.install vendored
View File

@@ -1,8 +1,5 @@
usr/lib/python*/dist-packages/ipaclient-*.egg-info
usr/lib/python*/dist-packages/ipaclient/*.py
usr/lib/python*/dist-packages/ipaclient/csrgen/profiles/*.json
usr/lib/python*/dist-packages/ipaclient/csrgen/rules/*.json
usr/lib/python*/dist-packages/ipaclient/csrgen/templates/*.tmpl
usr/lib/python*/dist-packages/ipaclient/install/*.py
usr/lib/python*/dist-packages/ipaclient/plugins/*.py
usr/lib/python*/dist-packages/ipaclient/remote_plugins/*.py

2
debian/python3-ipaserver.install vendored
View File

@@ -1,6 +1,7 @@
usr/lib/python*/dist-packages/ipaserver-*.egg-info
usr/lib/python*/dist-packages/ipaserver/__init__*
usr/lib/python*/dist-packages/ipaserver/advise/*
usr/lib/python*/dist-packages/ipaserver/custodia
usr/lib/python*/dist-packages/ipaserver/dcerpc.py
usr/lib/python*/dist-packages/ipaserver/dcerpc_common.py
usr/lib/python*/dist-packages/ipaserver/dns_data_management*
@@ -44,3 +45,4 @@ usr/lib/python*/dist-packages/ipaserver/rpcserver*
usr/lib/python*/dist-packages/ipaserver/secrets/*
usr/lib/python*/dist-packages/ipaserver/servroles*
usr/lib/python*/dist-packages/ipaserver/topology*
usr/lib/python*/dist-packages/ipaserver/wsgi.py*

30
debian/rules vendored
View File

@@ -6,27 +6,28 @@
include /usr/share/dpkg/architecture.mk
include /usr/share/dpkg/pkg-info.mk
CFLAGS += -D_FORTIFY_SOURCE=2
# build server only where nodejs is available
ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x))
ONLY_CLIENT=0
else
#ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x))
# ONLY_CLIENT=0
#else
ONLY_CLIENT=1
endif
ONLY_CLIENT=1
#endif
DESTDIR=$(CURDIR)/debian/tmp
export PYTHON=python3
export am_cv_python_pythondir=/usr/lib/python3/dist-packages
export am_cv_python_pyexecdir=/usr/lib/python3/dist-packages
export systemdsystemunitdir=$(shell pkgconf --variable=systemdsystemunitdir systemd | sed s,^/,,)
confflags = \
--libexecdir=/usr/lib/ \
--with-ipaplatform=debian \
--with-sysconfenvdir=/etc/default \
--disable-pylint \
--without-ipa-join-xml \
--without-jslint
ifeq ($(ONLY_CLIENT), 1)
@@ -83,10 +84,8 @@ ifneq ($(ONLY_CLIENT), 1)
touch $(DESTDIR)/usr/share/ipa/html/krbrealm.con
endif
mkdir -p $(DESTDIR)/usr/share/bash-completion/completions \
install -m 0644 contrib/completion/ipa.bash_completion \
$(DESTDIR)/usr/share/bash-completion/completions/ipa
rm -rf $(DESTDIR)/etc/bash_completion.d
mkdir -p $(DESTDIR)/usr/share/bash-completion/completions
mv $(DESTDIR)/etc/bash_completion.d/ipa $(DESTDIR)/usr/share/bash-completion/completions
# purge .la files
find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \;
@@ -100,6 +99,10 @@ endif
find debian/tmp ! -name '*.pyc' -a ! -name '*.pyo' -a \
-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python3|' {} \;
ifeq ($(ONLY_CLIENT), 0)
# remove ipasphinx for now
rm -r $(CURDIR)/debian/tmp/usr/lib/python3/dist-packages/ipasphinx*
endif
override_dh_missing:
dh_missing --fail-missing
@@ -121,6 +124,11 @@ override_dh_fixperms:
chmod 0700 $(CURDIR)/debian/freeipa-server/var/lib/ipa/backup; \
fi
override_dh_gencontrol:
dh_gencontrol -- \
-Vlib:Depends=$(shell dpkg-query -W -f '$${Depends}' librpm-dev \
| sed -E 's/.*(librpm[[:alnum:].-]+).*/\1/')
%:
dh $@ --with python3
# --builddirectory=build

12
debian/source/lintian-overrides vendored
View File

@@ -1,11 +1,11 @@
# a few long lines, this is still the unminified one
freeipa source: source-is-missing debian/missing-sources/qrcode.js line length is 602 characters (>512)
# missing-sources/dojo/*, see install/ui/src/dojo.profile.js
freeipa source: source-is-missing install/ui/build/dojo/dojo.js line length is 31980 characters (>512)
freeipa source: source-is-missing [install/ui/build/dojo/dojo.js]
# missing-sources/jquery-*.js
freeipa source: source-is-missing install/ui/src/libs/jquery.js line length is 32584 characters (>512)
freeipa source: source-is-missing [install/ui/src/libs/jquery.js]
# missing-sources/build/*, see install/ui/src/build.profile.js
freeipa source: source-is-missing install/ui/util/build/build.js line length is 31954 characters (>512)
freeipa source: source-is-missing [install/ui/util/build/build.js]
# client doesn't run autopkgtests
freeipa source: empty-debian-tests-control

8
debian/tests/control vendored Normal file
View File

@@ -0,0 +1,8 @@
#Tests: server-install
#Depends:
# freeipa-server, freeipa-client, freeipa-server-dns,
# sudo,
#Restrictions:
# allow-stderr,
# isolation-container,
# needs-root,

57
debian/tests/server-install vendored Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/sh
export KRB5_TRACE=/dev/stderr
# hack for lxc
IP=`ip route get 1.1.1.1 | sed -n -e's/.*src //; s/ .*//; p; q'`
echo "IP address is $IP"
HOSTNAME=`cat /etc/hosts| grep '127.0.1.1' | awk '{print $NF; exit}' | sed 's/\..*//'`
echo "Hostname was: $HOSTNAME"
if [ -z $HOSTNAME ]; then
HOSTNAME=autopkgtest
hostname $HOSTNAME
echo $HOSTNAME > /etc/hostname
fi
echo "$IP $HOSTNAME.debci.ipatest $HOSTNAME" >> /etc/hosts
echo "/etc/hosts now has:"
cat /etc/hosts
if [ ! -d /etc/systemd/system/pki-tomcatd.target.wants ]; then
echo "WHOOPS: Creating /etc/systemd/system/pki-tomcatd.target.wants"
mkdir /etc/systemd/system/pki-tomcatd.target.wants
fi
if [ ! -d /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants ]; then
echo "WHOOPS: Creating /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants"
mkdir /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants
fi
ipa-server-install \
-U \
-r DEBCI.IPATEST \
-n debci.ipatest \
-p Secret123 \
-a Secret123 \
--ip-address=$IP \
--setup-dns \
--no-forwarders \
--hostname=$HOSTNAME.debci.ipatest
if [ $? != 0 ]; then
echo ">>>>> journalctl named >>>>>>>"
journalctl -xeu named.service
echo ">>>>> journalctl certmonger >>>>>>>"
journalctl -xeu certmonger.service
echo ">>>>> journalctl apache2 >>>>>>>"
journalctl -xeu apache2.service
echo ">>>>> journalctl pki-tomcatd >>>>>>>"
journalctl -xeu pki-tomcatd@pki-tomcat.service
echo ">>>>> IPASERVER log >>>>>>>"
tail -n 2000 /var/log/ipaserver-install.log
echo ">>>>> IPACLIENT log >>>>>>>"
tail -n 2000 /var/log/ipaclient-install.log
exit 1
fi

2
debian/watch vendored
View File

@@ -1,3 +1,3 @@
version=3
#options=dversionmangle=s/\+dfsg$//,uversionmangle=s/$/+dfsg1/,compression=xz \
options=uversionmangle=s/rc/~rc/ \
https://releases.pagure.org/freeipa/freeipa-(.+).tar.gz