diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch b/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch new file mode 100644 index 0000000..93e7520 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch @@ -0,0 +1,361 @@ +diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml +--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 ++++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200 +@@ -0,0 +1,12 @@ ++--- ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Set IPA domain netbios name ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM +diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml +--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 ++++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200 +@@ -0,0 +1,12 @@ ++--- ++- name: Playbook to ensure SIDs are enabled and users and groups have SIDs ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes +diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py +--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200 +@@ -148,6 +148,24 @@ options: + required: false + type: list + aliases: ["ipadomainresolutionorder"] ++ enable_sid: ++ description: > ++ New users and groups automatically get a SID assigned. ++ Requires IPA 4.9.8+. ++ required: false ++ type: bool ++ netbios_name: ++ description: > ++ NetBIOS name of the IPA domain. ++ Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ required: false ++ type: string ++ add_sids: ++ description: > ++ Add SIDs for existing users and groups. ++ Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ required: false ++ type: bool + ''' + + EXAMPLES = ''' +@@ -169,6 +187,24 @@ EXAMPLES = ''' + ipaadmin_password: SomeADMINpassword + defaultshell: /bin/bash + maxusername: 64 ++ ++- name: Playbook to enable SID and generate users and groups SIDs ++ hosts: ipaserver ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes ++ ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM + ''' + + RETURN = ''' +@@ -247,6 +283,14 @@ config: + domain_resolution_order: + description: list of domains used for short name qualification + returned: always ++ enable_sid: ++ description: > ++ new users and groups automatically get a SID assigned. ++ Requires IPA 4.9.8+. ++ returned: always ++ netbios_name: ++ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+. ++ returned: if enable_sid is True + ''' + + +@@ -260,6 +304,28 @@ def config_show(module): + return _result["result"] + + ++def get_netbios_name(module): ++ try: ++ _result = module.ipa_command_no_name("trustconfig_show", {"all": True}) ++ except Exception: # pylint: disable=broad-except ++ return None ++ else: ++ return _result["result"]["ipantflatname"][0] ++ ++ ++def is_enable_sid(module): ++ """When 'enable-sid' is true admin user and admins group have SID set.""" ++ _result = module.ipa_command("user_show", "admin", {"all": True}) ++ sid = _result["result"].get("ipantsecurityidentifier", [""]) ++ if not sid[0].endswith("-500"): ++ return False ++ _result = module.ipa_command("group_show", "admins", {"all": True}) ++ sid = _result["result"].get("ipantsecurityidentifier", [""]) ++ if not sid[0].endswith("-512"): ++ return False ++ return True ++ ++ + def main(): + ansible_module = IPAAnsibleModule( + argument_spec=dict( +@@ -313,7 +379,10 @@ def main(): + aliases=["ipauserauthtype"]), + ca_renewal_master_server=dict(type="str", required=False), + domain_resolution_order=dict(type="list", required=False, +- aliases=["ipadomainresolutionorder"]) ++ aliases=["ipadomainresolutionorder"]), ++ enable_sid=dict(type="bool", required=False), ++ add_sids=dict(type="bool", required=False), ++ netbios_name=dict(type="str", required=False), + ), + supports_check_mode=True, + ) +@@ -344,7 +413,10 @@ def main(): + "pac_type": "ipakrbauthzdata", + "user_auth_type": "ipauserauthtype", + "ca_renewal_master_server": "ca_renewal_master_server", +- "domain_resolution_order": "ipadomainresolutionorder" ++ "domain_resolution_order": "ipadomainresolutionorder", ++ "enable_sid": "enable_sid", ++ "netbios_name": "netbios_name", ++ "add_sids": "add_sids", + } + reverse_field_map = {v: k for k, v in field_map.items()} + +@@ -392,11 +464,47 @@ def main(): + changed = False + exit_args = {} + +- # Connect to IPA API +- with ansible_module.ipa_connect(): ++ # Connect to IPA API (enable-sid requires context == 'client') ++ with ansible_module.ipa_connect(context="client"): ++ has_enable_sid = ansible_module.ipa_command_param_exists( ++ "config_mod", "enable_sid") + + result = config_show(ansible_module) ++ + if params: ++ netbios_name = params.get("netbios_name") ++ if netbios_name: ++ netbios_name = netbios_name.upper() ++ add_sids = params.get("add_sids") ++ enable_sid = params.get("enable_sid") ++ required_sid = any([netbios_name, add_sids]) ++ if required_sid and not enable_sid: ++ ansible_module.fail_json( ++ "'enable-sid: yes' required for 'netbios_name' " ++ "and 'add-sids'." ++ ) ++ if enable_sid: ++ if not has_enable_sid: ++ ansible_module.fail_json( ++ "This version of IPA does not support 'enable-sid'.") ++ if ( ++ netbios_name ++ and netbios_name == get_netbios_name(ansible_module) ++ ): ++ del params["netbios_name"] ++ netbios_name = None ++ if not add_sids and "add_sids" in params: ++ del params["add_sids"] ++ if ( ++ not any([netbios_name, add_sids]) ++ and is_enable_sid(ansible_module) ++ ): ++ del params["enable_sid"] ++ else: ++ for param in ["enable_sid", "netbios_name", "add_sids"]: ++ if param in params: ++ del params[params] ++ + params = { + k: v for k, v in params.items() + if k not in result or result[k] != v +@@ -441,6 +549,10 @@ def main(): + raise ValueError( + "Unexpected attribute type: %s" % arg_type) + exit_args[k] = type_map[arg_type](value) ++ # Set enable_sid ++ if has_enable_sid: ++ exit_args["enable_sid"] = is_enable_sid(ansible_module) ++ exit_args["netbios_name"] = get_netbios_name(ansible_module) + + # Done + ansible_module.exit_json(changed=changed, config=exit_args) +diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md +--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200 +@@ -65,6 +65,9 @@ Example playbook to read config options: + maxusername: 64 + ``` + ++ ++Example playbook to set global configuration options: ++ + ```yaml + --- + - name: Playbook to ensure some config options are set +@@ -79,6 +82,40 @@ Example playbook to read config options: + ``` + + ++Example playbook to enable SID and generate users and groups SIDs: ++ ++```yaml ++--- ++- name: Playbook to ensure SIDs are enabled and users and groups have SIDs ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes ++``` ++ ++Example playbook to change IPA domain NetBIOS name: ++ ++```yaml ++--- ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Set IPA domain netbios name ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM ++``` ++ + Variables + ========= + +@@ -111,6 +148,9 @@ Variable | Description | Required + `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no + `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no + `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no ++`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no ++`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no ++`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no + + + Return Values +@@ -140,6 +180,8 @@ Variable | Description | Returned When +   | `user_auth_type` |   +   | `domain_resolution_order` |   +   | `ca_renewal_master_server` |   ++  | `enable_sid` |   ++  | `netbios_name` |   + + All returned fields take the same form as their namesake input parameters + +diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml +--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 ++++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200 +@@ -0,0 +1,70 @@ ++--- ++- name: Test config ++ hosts: "{{ ipa_test_host | default('ipaserver') }}" ++ become: no ++ gather_facts: no ++ ++ tasks: ++ ++ # GET CURRENT CONFIG ++ ++ - name: Return current values of the global configuration options ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ register: previous ++ ++ # TESTS ++ - block: ++ - name: Ensure SID is enabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ register: result ++ failed_when: result.failed or previous.config.enable_sid == result.changed ++ ++ - name: Ensure SID is enabled, again. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Ensure netbios_name is "IPATESTPLAY" ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ netbios_name: IPATESTPLAY ++ register: result ++ failed_when: result.failed or not result.changed ++ ++ - name: Ensure netbios_name is "IPATESTPLAY", again ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ netbios_name: IPATESTPLAY ++ register: result ++ failed_when: result.failed or result.changed ++ ++ # add_sids is not idempotent as it always tries to generate the missing ++ # SIDs for users and groups. ++ - name: Add SIDs to users and groups. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ add_sids: yes ++ ++ # REVERT TO PREVIOUS CONFIG ++ always: ++ # Once SID is enabled, it cannot be reverted. ++ - name: Revert netbios_name to original configuration ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ netbios_name: "{{ previous.config.netbios_name | default(omit) }}" ++ enable_sid: yes diff --git a/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch b/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch new file mode 100644 index 0000000..96e323f --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch @@ -0,0 +1,38 @@ +From 641c550cc3650c6d0aa95f52b422089f64e7fb6a Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 15 Aug 2022 16:00:06 +0200 +Subject: [PATCH] ipareplica: ipareplica_setup_adtrust fails while updating + ipaNTFlatName + +The internal parameter sid_generation_always is generated in +ipareplica_test to enable SID generation if ipareplica_setup_adtrust is +not enabled. + +This parameter was not used for ipareplica_prepare though, therefore +adtrust.install_check was not executed and did not set the attribute +adtrust.netbios_name. As a result adtrust.netbios_name was None and the +try to use this as the new NetBIOS domain name failed with an +INVALID_SYNTAX error in adtrustinstance while executing +ipareplica_setup_adtrust. + +This issue only occurs if SIDs are not enabled in the domain yet for +example with an old deployment. +--- + roles/ipareplica/tasks/install.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml +index 0e5f840..7413884 100644 +--- a/roles/ipareplica/tasks/install.yml ++++ b/roles/ipareplica/tasks/install.yml +@@ -201,6 +201,7 @@ + ### additional ### + server: "{{ result_ipareplica_test.server }}" + skip_conncheck: "{{ ipareplica_skip_conncheck }}" ++ sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}" + register: result_ipareplica_prepare + + - name: Install - Add to ipaservers +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch new file mode 100644 index 0000000..329e338 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch @@ -0,0 +1,54 @@ +diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py +--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck 2022-10-07 17:06:41.915918624 +0200 ++++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 17:09:55.228613556 +0200 +@@ -226,7 +226,8 @@ from ansible.module_utils.ansible_ipa_se + read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, + check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, + validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, +- encode_certificate, check_available_memory, adtrustinstance ++ encode_certificate, check_available_memory, adtrustinstance, ++ get_min_idstart + ) + from ansible.module_utils import six + +@@ -580,6 +581,16 @@ def main(): + "'--ignore-topology-disconnect/--ignore-last-of-role' " + "options can be used only during uninstallation") + ++ if get_min_idstart is not None: ++ min_idstart = get_min_idstart() ++ if self.idstart < min_idstart: ++ raise RuntimeError( ++ "idstart (%i) must be larger than UID_MAX/GID_MAX " ++ "(%i) setting in /etc/login.defs." % ( ++ self.idstart, min_idstart ++ ) ++ ) ++ + if self.idmax < self.idstart: + raise RuntimeError( + "idmax (%s) cannot be smaller than idstart (%s)" % +diff -up ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py +--- ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py 2022-10-07 17:07:35.907833419 +0200 +@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger" + "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader", + "default_subject_base", "default_ca_subject_dn", + "check_ldap_conf", "encode_certificate", "decode_certificate", +- "check_available_memory"] ++ "check_available_memory", "get_min_idstart"] + + import sys + +@@ -178,6 +178,11 @@ else: + from ipalib.x509 import load_certificate + load_pem_x509_certificate = None + ++ try: ++ from ipaserver.install.server.install import get_min_idstart ++ except ImportError: ++ get_min_idstart = None ++ + else: + # IPA version < 4.5 + diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch new file mode 100644 index 0000000..c951d94 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch @@ -0,0 +1,55 @@ +From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 5 Sep 2022 13:16:26 +0200 +Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog + +In some cases ipa code is using sys.stdout.isatty. As stdout is mapped +to AnsibleModuleLog this call will lead in a traceback as it was not +defined. + +The staticmethod isatty has been added to AnsibleModuleLog in ipaserver +role module_utils/ansible_ipa_server.py and in ipareplica role +module_utils/ansible_ipa_repica.py. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415 + ansible-freeipa Replica Install Setup DNS fails +Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty' +Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty' +--- + roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++ + roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py +index 0e4e738..27ee13d 100644 +--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py ++++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py +@@ -222,6 +222,10 @@ else: + def info(self, msg): + self.module.debug(msg) + ++ @staticmethod ++ def isatty(): ++ return False ++ + def write(self, msg): + self.module.debug(msg) + # self.module.warn(msg) +diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py +index 5b1c4e5..8e7be0b 100644 +--- a/roles/ipaserver/module_utils/ansible_ipa_server.py ++++ b/roles/ipaserver/module_utils/ansible_ipa_server.py +@@ -255,6 +255,10 @@ else: + def info(self, msg): + self.module.debug(msg) + ++ @staticmethod ++ def isatty(): ++ return False ++ + def write(self, msg): + self.module.debug(msg) + # self.module.warn(msg) +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch new file mode 100644 index 0000000..50f7fbc --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch @@ -0,0 +1,259 @@ +diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py +--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py 2022-10-07 16:51:35.750411448 +0200 +@@ -182,6 +182,9 @@ options: + skip_conncheck: + description: Skip connection check to remote master + required: yes ++ sid_generation_always: ++ description: Enable SID generation always ++ required: yes + author: + - Thomas Woerner + ''' +@@ -275,6 +278,8 @@ def main(): + # additional + server=dict(required=True), + skip_conncheck=dict(required=False, type='bool'), ++ sid_generation_always=dict(required=False, type='bool', ++ default=False), + ), + supports_check_mode=True, + ) +@@ -350,6 +355,7 @@ def main(): + # '_hostname_overridden') + options.server = ansible_module.params.get('server') + options.skip_conncheck = ansible_module.params.get('skip_conncheck') ++ sid_generation_always = ansible_module.params.get('sid_generation_always') + + # init # + +@@ -755,7 +761,7 @@ def main(): + + ansible_log.debug("-- CHECK ADTRUST --") + +- if options.setup_adtrust: ++ if options.setup_adtrust or sid_generation_always: + adtrust.install_check(False, options, remote_api) + + except errors.ACIError: +diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py +--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py 2022-10-07 16:44:59.008094369 +0200 +@@ -71,6 +71,9 @@ options: + setup_ca: + description: Configure a dogtag CA + required: no ++ setup_adtrust: ++ description: Configure AD trust capability ++ required: yes + config_master_host_name: + description: The config master_host_name setting + required: no +@@ -112,6 +115,7 @@ def main(): + ccache=dict(required=True), + _top_dir=dict(required=True), + setup_ca=dict(required=True, type='bool'), ++ setup_adtrust=dict(required=True, type='bool'), + config_master_host_name=dict(required=True), + ), + supports_check_mode=True, +@@ -140,6 +144,7 @@ def main(): + os.environ['KRB5CCNAME'] = ccache + options._top_dir = ansible_module.params.get('_top_dir') + options.setup_ca = ansible_module.params.get('setup_ca') ++ options.setup_adtrust = ansible_module.params.get('setup_adtrust') + config_master_host_name = ansible_module.params.get( + 'config_master_host_name') + adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') +diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py +--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py 2022-10-07 16:50:45.621497736 +0200 +@@ -144,7 +144,7 @@ from ansible.module_utils.ansible_ipa_re + ansible_module_get_parsed_ip_addresses, service, + redirect_stdout, create_ipa_conf, ipautil, + x509, validate_domain_name, common_check, +- IPA_PYTHON_VERSION ++ IPA_PYTHON_VERSION, adtrustinstance + ) + + +@@ -271,6 +271,14 @@ def main(): + # # options.setup_adtrust = False + # # ansible_module.warn(msg="adtrust is not supported, disabling") + ++ sid_generation_always = False ++ if not options.setup_adtrust: ++ # pylint: disable=deprecated-method ++ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) ++ # pylint: enable=deprecated-method ++ if "fulltrust" in argspec.args: ++ sid_generation_always = True ++ + # if options.setup_kra and not kra_imported: + # # if "kra" not in options._allow_missing: + # ansible_module.fail_json(msg="kra can not be imported") +@@ -472,6 +480,7 @@ def main(): + # additional + client_enrolled=client_enrolled, + change_master_for_certmonger=change_master_for_certmonger, ++ sid_generation_always=sid_generation_always + ) + + +diff -up ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py +--- ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py 2022-10-07 16:54:27.707115487 +0200 +@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", + "common_check", "current_domain_level", + "check_domain_level_is_supported", "promotion_check_ipa_domain", + "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance", +- "dnsname", "kernel_keyring", "krbinstance"] ++ "dnsname", "kernel_keyring", "krbinstance", ++ "adtrustinstance"] + + import sys + +@@ -105,6 +106,7 @@ else: + adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance, + installutils, kra, krbinstance, + otpdinstance, custodiainstance, service, upgradeinstance) ++ from ipaserver.install import adtrustinstance + try: + from ipaserver.masters import ( + find_providing_servers, find_providing_server) +diff -up ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml +--- ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml 2022-10-07 16:44:59.008094369 +0200 +@@ -748,13 +748,15 @@ + ccache: "{{ result_ipareplica_prepare.ccache }}" + _top_dir: "{{ result_ipareplica_prepare._top_dir }}" + setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" ++ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" + config_master_host_name: + "{{ result_ipareplica_prepare.config_master_host_name }}" + adtrust_netbios_name: + "{{ result_ipareplica_prepare.adtrust_netbios_name }}" + adtrust_reset_netbios_name: + "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}" +- when: result_ipareplica_test.setup_adtrust ++ when: result_ipareplica_test.setup_adtrust or ++ result_ipareplica_test.sid_generation_always + + - name: Install - Enable IPA + ipareplica_enable_ipa: +diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py +--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py 2022-10-07 16:47:45.005808635 +0200 +@@ -141,6 +141,9 @@ options: + setup_ca: + description: Configure a dogtag CA + required: yes ++ sid_generation_always: ++ description: Enable SID generation always ++ required: yes + _hostname_overridden: + description: The installer _hostname_overridden setting + required: yes +@@ -213,6 +216,8 @@ def main(): + + # additional + setup_ca=dict(required=False, type='bool', default=False), ++ sid_generation_always=dict(required=False, type='bool', ++ default=False), + _hostname_overridden=dict(required=False, type='bool', + default=False), + ), +@@ -279,6 +284,7 @@ def main(): + options.setup_ca = ansible_module.params.get('setup_ca') + options._host_name_overridden = ansible_module.params.get( + '_hostname_overridden') ++ sid_generation_always = ansible_module.params.get('sid_generation_always') + options.kasp_db_file = None + + # init ################################################################## +@@ -371,7 +377,7 @@ def main(): + logger.debug('Starting Directory Server') + services.knownservices.dirsrv.start(instance_name) + +- if options.setup_adtrust: ++ if options.setup_adtrust or sid_generation_always: + with redirect_stdout(ansible_log): + adtrust.install_check(False, options, api) + +diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py +--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 16:46:12.413968014 +0200 +@@ -226,7 +226,7 @@ from ansible.module_utils.ansible_ipa_se + read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, + check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, + validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, +- encode_certificate, check_available_memory ++ encode_certificate, check_available_memory, adtrustinstance + ) + from ansible.module_utils import six + +@@ -395,12 +395,16 @@ def main(): + + # version specific ###################################################### + +- if options.setup_adtrust and not adtrust_imported: +- # if "adtrust" not in options._allow_missing: +- ansible_module.fail_json(msg="adtrust can not be imported") +- # else: +- # options.setup_adtrust = False +- # ansible_module.warn(msg="adtrust is not supported, disabling") ++ sid_generation_always = False ++ if not options.setup_adtrust: ++ # pylint: disable=deprecated-method ++ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) ++ # pylint: enable=deprecated-method ++ if "fulltrust" in argspec.args: ++ sid_generation_always = True ++ else: ++ if not adtrust_imported: ++ ansible_module.fail_json(msg="adtrust can not be imported") + + if options.setup_kra and not kra_imported: + # if "kra" not in options._allow_missing: +@@ -522,7 +526,8 @@ def main(): + "You cannot specify an --enable-compat option without the " + "--setup-adtrust option") + +- if self.netbios_name: ++ # Deactivate test for new IPA SID generation ++ if self.netbios_name and not sid_generation_always: + raise RuntimeError( + "You cannot specify a --netbios-name option without the " + "--setup-adtrust option") +@@ -1079,7 +1084,8 @@ def main(): + ntp_pool=options.ntp_pool, + # additional + _installation_cleanup=_installation_cleanup, +- domainlevel=options.domainlevel) ++ domainlevel=options.domainlevel, ++ sid_generation_always=sid_generation_always) + + + if __name__ == '__main__': +diff -up ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml +--- ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 ++++ ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml 2022-10-07 16:48:36.946719227 +0200 +@@ -191,6 +191,7 @@ + secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}" + ### additional ### + setup_ca: "{{ result_ipaserver_test.setup_ca }}" ++ sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}" + _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}" + register: result_ipaserver_prepare + +@@ -392,7 +393,8 @@ + adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}" + adtrust_reset_netbios_name: + "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}" +- when: result_ipaserver_test.setup_adtrust ++ when: result_ipaserver_test.setup_adtrust or ++ result_ipaserver_test.sid_generation_always + + - name: Install - Set DS password + ipaserver_set_ds_password: diff --git a/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch b/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch new file mode 100644 index 0000000..76f4e0f --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch @@ -0,0 +1,79 @@ +From 6124dc0cf1a7653f11e88d80290aeb231e486cab Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Tue, 26 Apr 2022 11:11:12 -0300 +Subject: [PATCH] ipatrust: Updated ipatrust documentation. + +This patch updates the ipatrust documentation about the 'trust_type' +parameter, and changes one password to be similar to the standard +passwords used in other modules. +--- + README-trust.md | 1 + + plugins/modules/ipatrust.py | 5 +++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/README-trust.md b/README-trust.md +index ef04f6c..efa69c7 100644 +--- a/README-trust.md ++++ b/README-trust.md +@@ -105,6 +105,7 @@ Variable | Description | Required + `password` | Active Directory domain administrator's password string. | no + `server` | Domain controller for the Active Directory domain string. | no + `trust_secret` | Shared secret for the trust string. | no ++`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no + `base_id` | First posix id for the trusted domain integer. | no + `range_size` | Size of the ID range reserved for the trusted domain integer. | no + `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no +diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py +index 0c7aac5..d94ec94 100644 +--- a/plugins/modules/ipatrust.py ++++ b/plugins/modules/ipatrust.py +@@ -44,7 +44,8 @@ options: + description: + - Trust type (ad for Active Directory, default) + default: ad +- required: true ++ required: false ++ choices: ["ad"] + admin: + description: + - Active Directory domain administrator +@@ -103,7 +104,7 @@ EXAMPLES = """ + realm: ad.example.test + trust_type: ad + admin: Administrator +- password: Welcome2020! ++ password: SomeW1Npassword + state: present + + # delete ad-trust +-- +2.37.3 + +From 423a6b0e12e87adb86cd76095a7b260d19ab4959 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Tue, 12 Apr 2022 18:47:20 -0300 +Subject: [PATCH] ipatrust: Set valid choices for trust_type. + +Ensure only valid choices for trust_type ('ad') are available for the +module parameter. +--- + plugins/modules/ipatrust.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py +index 6251ecc..0c7aac5 100644 +--- a/plugins/modules/ipatrust.py ++++ b/plugins/modules/ipatrust.py +@@ -190,7 +190,8 @@ def main(): + state=dict(type="str", default="present", + choices=["present", "absent"]), + # present +- trust_type=dict(type="str", default="ad", required=False), ++ trust_type=dict(type="str", default="ad", required=False, ++ choices=["ad"]), + admin=dict(type="str", default=None, required=False), + password=dict(type="str", default=None, + required=False, no_log=True), +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch b/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch new file mode 100644 index 0000000..b7d804d --- /dev/null +++ b/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch @@ -0,0 +1,298 @@ +From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Wed, 13 Apr 2022 08:12:26 -0300 +Subject: [PATCH] ipatrust: Fix support for `range_type`. + +The ipatrust module was ignoring the value of `range_type`, which is +required to allow for different types of idranges. +--- + plugins/modules/ipatrust.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py +index 6251ecc..40b61b5 100644 +--- a/plugins/modules/ipatrust.py ++++ b/plugins/modules/ipatrust.py +@@ -157,7 +157,7 @@ def add_trust(module, realm, args): + + + def gen_args(trust_type, admin, password, server, trust_secret, base_id, +- range_size, _range_type, two_way, external): ++ range_size, range_type, two_way, external): + _args = {} + if trust_type is not None: + _args["trust_type"] = trust_type +@@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id, + _args["base_id"] = base_id + if range_size is not None: + _args["range_size"] = range_size ++ if range_type is not None: ++ _args["range_type"] = range_type + if two_way is not None: + _args["bidirectional"] = two_way + if external is not None: +-- +2.37.3 + +From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Wed, 30 Mar 2022 14:22:15 -0300 +Subject: [PATCH] tests/trust: Improved test coverage and execution. + +This patch applies several changes to the ipatrust test playbook: + +* Add externally defined parameters so execution in local trust + environments can be configured. The available parameters are: + * winserver_admin_password: the Administrator password for the AD + server (default: 'SomeW1Npassword') + * winserver_domain: the AD server domain (default: 'windows.local') + * winserver realm: the AD server realm (by default, the uppercase + version of winserver_domain) + * ipaserver_domain: the FreeIPA server domain (default: 'ipa.test') + * ipaserver_realm: the FreeIPA server realm (by default, the + uppercase version of ipaserver_domain + +* Modify trust verification to check for the existence of the trust as + it the output of `ipa trust-find`, instead of cheking for the number + of items returned, as the number might vary. + +* Add idempotency tests by re-executing tasks and verifying that no + change was performed. + +* Added tests to verify creation of trusts with different 'range_type'. + +* Use a Kerberos cache for shell scripts, and destroy it on exit. + +* Properly remove all `idrange` that might be created upon setting up a + trust. +--- + tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------ + 1 file changed, 137 insertions(+), 24 deletions(-) + +diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml +index e4ecdf5..5d1280d 100644 +--- a/tests/trust/test_trust.yml ++++ b/tests/trust/test_trust.yml +@@ -1,55 +1,168 @@ + --- +-- name: find trust ++- name: Test ipatrust + hosts: "{{ ipa_test_host | default('ipaserver') }}" + become: true + gather_facts: false + ++ vars: ++ adserver: ++ domain: "{{ winserver_domain | default('windows.local')}}" ++ realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}" ++ password: "{{ winserver_admin_password | default('SomeW1Npassword') }}" ++ ipaserver: ++ domain: "{{ ipaserver_domain | default('ipa.test')}}" ++ realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}" ++ trust_exists: 'Realm name: {{ adserver.domain }}' ++ ad_range_exists: 'Range name: {{ adserver.realm }}_id_range' ++ ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range' ++ + tasks: + + - block: + +- - name: delete trust ++ - name: Delete test trust + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" +- realm: windows.local ++ realm: "{{ adserver.domain }}" + state: absent +- register: del_trust + +- - name: check for trust ++ - name: Clear test idranges + shell: | +- echo 'SomeADMINpassword' | kinit admin +- ipa trust-find windows.local +- register: check_find_trust +- failed_when: "'0 trusts matched' not in check_find_trust.stdout" ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa idrange-del {{ adserver.realm }}_id_range || true ++ ipa idrange-del {{ ipaserver.realm }}_subid_range || true ++ kdestroy -c test_krb5_cache -q -A + +- - name: delete id range ++ - name: Add trust with range_type 'ipa-ad-trust' ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ admin: Administrator ++ trust_type: ad ++ range_type: ipa-ad-trust ++ password: "{{ adserver.password }}" ++ state: present ++ register: result ++ failed_when: result.failed or not result.changed ++ ++ - name: check if 'ipa-ad-trust' trust exists + shell: | + echo 'SomeADMINpassword' | kinit admin +- ipa idrange-del WINDOWS.LOCAL_id_range +- when: del_trust['changed'] | bool ++ ipa trust-find ++ kdestroy -c test_krb5_cache -q -A ++ register: check_add_trust ++ failed_when: "trust_exists not in check_add_trust.stdout" + +- - name: check for range ++ - name: Add trust with range_type 'ipa-ad-trust', again ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ admin: Administrator ++ range_type: ipa-ad-trust ++ password: "{{ adserver.password }}" ++ state: present ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Delete 'ipa-ad-trust' trust ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ state: absent ++ register: result ++ failed_when: result.failed or not result.changed ++ ++ - name: Check if 'ipa-ad-trust' trust was removed + shell: | +- echo 'SomeADMINpassword' | kinit admin +- ipa idrange-find WINDOWS.LOCAL_id_range +- register: check_del_idrange +- failed_when: "'0 ranges matched' not in check_del_idrange.stdout" ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa trust-find ++ kdestroy -c test_krb5_cache -q -A ++ register: check_add_trust ++ failed_when: "trust_exists in check_add_trust.stdout" ++ ++ - name: Delete 'ipa-ad-trust' trust, again ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ state: absent ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Clear test idranges ++ shell: | ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa idrange-del {{ adserver.realm }}_id_range || true ++ ipa idrange-del {{ ipaserver.realm }}_subid_range || true ++ kdestroy -c test_krb5_cache -q -A + +- - name: add trust ++ - name: Add trust with range_type 'ipa-ad-trust-posix' + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" +- realm: windows.local ++ realm: "{{ adserver.domain }}" + admin: Administrator +- password: secret_ad_pw ++ range_type: ipa-ad-trust-posix ++ password: "{{ adserver.password }}" + state: present ++ register: result ++ failed_when: result.failed or not result.changed + +- - name: check for trust ++ - name: Check if 'ipa-ad-trust-posix' trust exists + shell: | +- echo 'SomeADMINpassword' | kinit admin +- ipa trust-find windows.local ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa trust-find ++ kdestroy -c test_krb5_cache -q -A + register: check_add_trust +- failed_when: "'1 trust matched' not in check_add_trust.stdout" ++ failed_when: "trust_exists not in check_add_trust.stdout" ++ ++ - name: Add trust with range_type 'ipa-ad-trust-posix', again ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ admin: Administrator ++ range_type: ipa-ad-trust-posix ++ password: "{{ adserver.password }}" ++ state: present ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Delete 'ipa-ad-trust-posix' trust ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ state: absent ++ register: result ++ failed_when: result.failed or not result.changed ++ ++ - name: Check if trust 'ipa-ad-trust-posix' was removed ++ shell: | ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa trust-find ++ kdestroy -c test_krb5_cache -q -A ++ register: check_del_trust ++ failed_when: "trust_exists in check_del_trust.stdout" ++ ++ - name: Delete 'ipa-ad-trust-posix' trust, again ++ ipatrust: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ realm: "{{ adserver.domain }}" ++ state: absent ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Clear test idranges ++ shell: | ++ kinit -c test_krb5_cache admin <<< SomeADMINpassword ++ ipa idrange-del {{ adserver.realm }}_id_range || true ++ ipa idrange-del {{ ipaserver.realm }}_subid_range || true ++ kdestroy -c test_krb5_cache -q -A + + when: trust_test_is_supported | default(false) +-- +2.37.3 + +From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Wed, 30 Mar 2022 14:42:12 -0300 +Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name. + +As the task is expected to fail, the AD realm name was modified to show +the expected behavior more clearly. +--- + tests/trust/test_trust_client_context.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml +index 2ea3853..6f4ff06 100644 +--- a/tests/trust/test_trust_client_context.yml ++++ b/tests/trust/test_trust_client_context.yml +@@ -13,7 +13,7 @@ + ipatrust: + ipaadmin_password: SomeADMINpassword + ipaapi_context: server +- realm: windows.local ++ realm: this.test.should.fail + register: result + failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*")) + when: ipa_host_is_client +-- +2.37.3 + diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index c7c4948..57ef11f 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -8,10 +8,17 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa Version: 1.6.3 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPLv3+ Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch +Patch2: ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch +Patch3: ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch +Patch4: ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch +Patch5: ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch +Patch6: ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch +Patch7: ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch BuildArch: noarch %description @@ -109,6 +116,13 @@ to get the needed requrements to run the tests. %prep %setup -q # Do not create backup files with patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 # Fix python modules and module utils: # - Remove shebang @@ -166,6 +180,18 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/ %{_datadir}/ansible-freeipa/requirements-tests.txt %changelog +* Mon Oct 10 2022 Thomas Woerner - 1.6.3-2 +- ipatrust: fix range_type and set valid choices for trust_type + Resolves: RHBZ#2132967 +- ipaserver/ipareplica: Always generate SIDs + Resolves: RHBZ#2132970 +- ipaserver: Add missing idstart check + Resolves: RHBZ#2132975 +- ansible-freeipa Replica Install Setup DNS fails + Resolves: RHBZ#2132989 +- ipaconfig does not support SID and netbios attributes + Resolves: RHBZ#2132995 + * Thu Jan 27 2022 Thomas Woerner - 1.6.3-1 - Update to version 1.6.3 https://github.com/freeipa/ansible-freeipa/releases/tag/v1.6.3