diff --git a/SOURCES/0063-Consider-configured-servers-as-valid.patch b/SOURCES/0063-Consider-configured-servers-as-valid.patch new file mode 100644 index 0000000..71b417b --- /dev/null +++ b/SOURCES/0063-Consider-configured-servers-as-valid.patch @@ -0,0 +1,107 @@ +From ad3022b24462cc7bc33f810c2d20b4b00006a14c Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 29 Apr 2019 11:12:30 +0200 +Subject: [PATCH] Consider configured servers as valid + +Under some conditions, ipa config-show and several other commands were +failing with error message: + + ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled + +Amongst others the issue can be caused by a broken installation, when +some services are left in state 'configuredServices'. The problem even +block uninstallation or removal of replicas. Now configured servers are +also consider valid providers for associated roles. + +A new test verifies that config-show works with hidden and configured HTTP +service. + +Remark: The original intent of the sanity check is no longer clear to me. I +think it was used to very that all services can be started by ipactl. +Since ipactl starts hidden, configured, and enabled services, the new +logic reflect the fact, too. + +Fixes: https://pagure.io/freeipa/issue/7929 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +--- + ipaserver/servroles.py | 12 +++++--- + ipatests/test_integration/test_commands.py | 33 ++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py +index bf33923ded4ca6559fba504e1b447086e87d2083..756ce91a8164144978363f04f6abd8de18b93524 100644 +--- a/ipaserver/servroles.py ++++ b/ipaserver/servroles.py +@@ -338,12 +338,16 @@ class ServerAttribute(LDAPBasedProperty): + ldap.update_entry(service_entry) + + def _get_assoc_role_providers(self, api_instance): +- """ +- get list of all servers on which the associated role is enabled ++ """get list of all servers on which the associated role is enabled ++ ++ Consider a configured server as a valid provider for a ++ role, as all services are started. + """ + return [ +- r[u'server_server'] for r in self.associated_role.status( +- api_instance) if r[u'status'] == ENABLED] ++ r[u'server_server'] ++ for r in self.associated_role.status(api_instance) ++ if r[u'status'] in {ENABLED,CONFIGURED} ++ ] + + def _remove(self, api_instance, masters): + """ +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index b2c0d5c710c9810cfd74216983f793808f4cf3c4..4237de4eea2981c52ecb664d132e6607cb2ac25d 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -6,6 +6,11 @@ + from __future__ import absolute_import + + from ipatests.test_integration.base import IntegrationTest ++from ipapython.dn import DN ++ ++from ipaserver.masters import ( ++ CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE ++) + + + class TestIPACommand(IntegrationTest): +@@ -46,3 +51,31 @@ class TestIPACommand(IntegrationTest): + assert result.returncode == 0 + assert "SELinux user map order: {}".format( + maporder) in result.stdout_text ++ ++ def test_config_show_configured_services(self): ++ # https://pagure.io/freeipa/issue/7929 ++ states = {CONFIGURED_SERVICE, ENABLED_SERVICE} ++ dn = DN( ++ ('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'), ++ ('cn', 'ipa'), ('cn', 'etc'), ++ self.master.domain.basedn # pylint: disable=no-member ++ ) ++ ++ conn = self.master.ldap_connect() ++ entry = conn.get_entry(dn) # pylint: disable=no-member ++ ++ # original setting and all settings without state ++ orig_cfg = list(entry['ipaConfigString']) ++ other_cfg = [item for item in orig_cfg if item not in states] ++ ++ try: ++ # test with configured ++ cfg = [CONFIGURED_SERVICE] ++ cfg.extend(other_cfg) ++ entry['ipaConfigString'] = cfg ++ conn.update_entry(entry) # pylint: disable=no-member ++ self.master.run_command(['ipa', 'config-show']) ++ finally: ++ # reset ++ entry['ipaConfigString'] = orig_cfg ++ conn.update_entry(entry) # pylint: disable=no-member +-- +2.20.1 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index df4ee0b..85463af 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From e443dc9390ead872bfa0c7ae35323023f21cebc9 Mon Sep 17 00:00:00 2001 +From 230a9128ebe8e7a18b11e1b922e63b9e0acf9973 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -1023,5 +1023,5 @@ index 6037938330f13a30d0ccfbedcaac59c567bda0d6..b8a0c82d394edb8744de34394895b86f """) + _(""" To enable the binddn run the following command to set the password: -- -2.17.2 +2.20.1 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 1579d1d..617dba8 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From ddd951ba70e11fb6332f57e94a3b1a22ded08a39 Mon Sep 17 00:00:00 2001 +From aca4b01ab02eb6da70c37c55bac15ff4e56d3bb8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index d6e467097808594756d947fa721b8cf10fe7d043..a52336fd71ffb44e3f7dfcc95656bd82 -- -2.17.2 +2.20.1 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index aa68b30..041d2c9 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 6f6d25da7a5e93de9f8c80e7fe3419d4b0c60a72 Mon Sep 17 00:00:00 2001 +From 18b3392fd5a43ffddf5662ead763835df59e1377 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.17.2 +2.20.1 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 5f47da2..6bc8a5e 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From bbe70ea811007cf8426ac14565e7da47b3ae1ced Mon Sep 17 00:00:00 2001 +From c9c12213e6c72512177009bf73bd966f13d2ed30 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.17.2 +2.20.1 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 4ebfa79..21a7ec0 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From eaa2dd2de04147dbca127673d3c2473955b9289c Mon Sep 17 00:00:00 2001 +From ed8ee0c41555e42f1a62edca231d116890b36b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -123,5 +123,5 @@ index 8211c03515bf70b681da49d27ae11a4e8cb3b44d..a40b5d45ff8406c3ebbb69465e8d71d7 - assert p.returncode > 0, (out, err) - assert b'System encoding must be UTF-8' in err, (out, err) -- -2.17.2 +2.20.1 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 18c5e60..7c3b557 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -93,7 +93,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 10%{?dist}.3 +Release: 10%{?dist}.6 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -101,10 +101,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -171,12 +171,12 @@ Patch0059: 0059-ipatests-add-test-for-replica-in-forward-zone.patch Patch0060: 0060-Add-workaround-for-slow-host-service-del.patch Patch0061: 0061-Optimize-cert-remove-case.patch Patch0062: 0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch +Patch0063: 0063-Consider-configured-servers-as-valid.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch Patch1005: 1005-Removing-filesystem-encoding-check.patch -Patch1006: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -982,10 +982,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1746,8 +1746,9 @@ fi %changelog -* Tue Mar 12 2019 CentOS Sources - 4.6.4-10.el7.centos.3 -- Roll in CentOS Branding +* Thu Jun 6 2019 Florence Blanc-Renaud - 4.6.4-10.el7_6.6 +- Resolves: 1716882 - ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled + - Consider configured servers as valid * Mon Feb 4 2019 Florence Blanc-Renaud - 4.6.4-10.el7_6.3 - Resolves: 1672343 pki spawn fails for IPA replica install from RHEL6 IPA master