websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.6.2-4~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2018-01-31 13:57:05 +02:00
committed by Mario Fetka
parent 8ff3be4216
commit c86f4cfde4
103 changed files with 38064 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
debian/patches/create-sysconfig-ods.diff vendored Normal file
View File

@@ -0,0 +1,12 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -197,6 +197,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
+ # create the configfile, opendnssec-enforcer doesn't ship it
+ open(paths.SYSCONFIG_ODS, 'a').close()
+
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,

19
debian/patches/enable-mod-nss-during-setup.diff vendored Normal file
View File

@@ -0,0 +1,19 @@
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -179,6 +179,7 @@ class HTTPInstance(service.Service):
if not self.is_kdcproxy_configured():
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("starting httpd", self.start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
@@ -525,6 +526,8 @@ class HTTPInstance(service.Service):
except Exception:
pass
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')

41
debian/patches/fix-ipa-conf.diff vendored Normal file
View File

@@ -0,0 +1,41 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -47,7 +47,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
-WSGISocketPrefix /run/httpd/wsgi
+WSGISocketPrefix /run/apache2/wsgi
# Configure mod_wsgi handler for /ipa
@@ -129,7 +129,7 @@ Alias /ipa/session/cookie "/usr/share/ip
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
SessionMaxAge 1800
- GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+ GssapiSessionKey file:/etc/apache2/ipasession.key
Header unset Set-Cookie
</Location>
@@ -149,7 +149,7 @@ Alias /ipa/session/cookie "/usr/share/ip
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
- ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
+ ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
@@ -183,8 +183,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
-Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
-Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
+Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/truetype/open-sans"
+Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/truetype/font-awesome"
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None

46
debian/patches/fix-named-conf-template.diff vendored Normal file
View File

@@ -0,0 +1,46 @@
Description: fix named.conf template
* extra logging disabled as it'd just duplicate everything
* zones are loaded via includes
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,9 +4,9 @@ options {
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
- dump-file "data/cache_dump.db";
- statistics-file "data/named_stats.txt";
- memstatistics-file "data/named_mem_stats.txt";
+ dump-file "cache_dump.db";
+ statistics-file "named_stats.txt";
+ memstatistics-file "named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
@@ -27,18 +27,14 @@ options {
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
-logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- print-time yes;
- };
-};
+//logging {
+// channel default_debug {
+// file "data/named.run";
+// severity dynamic;
+// print-time yes;
+// };
+//};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

81
debian/patches/fix-opendnssec-setup.diff vendored Normal file
View File

@@ -0,0 +1,81 @@
Description: Fix ODS setup with 2.0.x
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -8,7 +8,7 @@
<Module>$SOFTHSM_LIB</Module>
<TokenLabel>$TOKEN_LABEL</TokenLabel>
<PIN>$PIN</PIN>
- <AllowExtraction/>
+ <AllowExtraction/>
</Repository>
</RepositoryList>
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -282,20 +282,15 @@ class OpenDNSSECInstance(service.Service
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml
- cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
+ cmd = [paths.ODS_ENFORCER, 'zonelist', 'export']
result = ipautil.run(cmd,
runas=constants.ODS_USER,
capture_output=True)
- with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
- zonelistf.write(result.output)
- os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
- self.ods_uid, self.ods_gid)
- os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660)
else:
# initialize new kasp.db
command = [
- paths.ODS_KSMUTIL,
+ paths.ODS_ENFORCER_SETUP,
'setup'
]
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -167,7 +167,8 @@ class BasePathNamespace(object):
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
- ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+ ODS_ENFORCER_SETUP = "/usr/sbin/ods-enforcer-db-setup"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -12,6 +12,7 @@ except ImportError:
from xml.etree import ElementTree as etree
from ipapython import ipa_log_manager, ipautil
+from ipaplatform.paths import paths
logger = logging.getLogger(__name__)
@@ -131,17 +132,18 @@ class ODSMgr(object):
self.zl_ldap = LDAPZoneListReader()
def ksmutil(self, params):
- """Call ods-ksmutil with given parameters and return stdout.
+ """Call ods-enforcer with given parameters and return stdout.
Raises CalledProcessError if returncode != 0.
"""
- cmd = ['ods-ksmutil'] + params
+ cmd = [paths.ODS_ENFORCER] + params
result = ipautil.run(cmd, capture_output=True)
return result.output
def get_ods_zonelist(self):
stdout = self.ksmutil(['zonelist', 'export'])
- reader = ODSZoneListReader(stdout)
+ with open(paths.OPENDNSSEC_ZONELIST_FILE) as f:
+ reader = ODSZoneListReader(f.read())
return reader
def add_ods_zone(self, uuid, name):

11
debian/patches/fix-replicainstall.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -758,7 +758,7 @@ def install_check(installer):
finally:
shutil.rmtree(tmp_db_dir)
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ ldapuri = 'ldap://%s' % ipautil.format_netloc(config.master_host_name)
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True,
context='installer',

14
debian/patches/hack-libarch.diff vendored Normal file
View File

@@ -0,0 +1,14 @@
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -330,9 +330,9 @@ class LDAPUpdate(object):
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:

13
debian/patches/series vendored Normal file
View File

@@ -0,0 +1,13 @@
# upstreamed
# not upstreamable
hack-libarch.diff
enable-mod-nss-during-setup.diff
# send upstream
fix-ipa-conf.diff
fix-replicainstall.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-opendnssec-setup.diff
support-kdb-dal-7.0.diff

90
debian/patches/support-kdb-dal-7.0.diff vendored Normal file
View File

@@ -0,0 +1,90 @@
commit 9f8700fceead6e7b4947dc86f161e78dabb5d186
Author: Robbie Harwood <rharwood@redhat.com>
Date: Mon Oct 9 11:39:09 2017 -0400
ipa-kdb: support KDB DAL version 7.0
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c0f1e276c..b11153ecc 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -709,7 +709,9 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+#if ((KRB5_KDB_DAL_MAJOR_VERSION == 6) || \
+ (KRB5_KDB_DAL_MAJOR_VERSION == 7)) && \
+ defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 1,
@@ -742,7 +744,8 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && (KRB5_KDB_DAL_MAJOR_VERSION != 6)
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 7)
#error unsupported DAL major version
#endif
-
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 72573a61a..be2f45752 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -326,6 +326,10 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 5f59bf33a..c68a67aa2 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -26,6 +26,10 @@
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4eac379ff..cb71fd7ae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -86,9 +86,13 @@ BuildRequires: openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
+%if 0%{?fedora} > 27
+BuildRequires: krb5-kdb-version = 7.0
+%else
%if 0%{?fedora} > 25
BuildRequires: krb5-kdb-version = 6.1
%endif
+%endif
BuildRequires: krb5-devel >= %{krb5_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4