diff -Nru freeipa-3.3.4/debian/changelog freeipa-3.3.4/debian/changelog --- freeipa-3.3.4/debian/changelog 2014-03-22 17:08:04.000000000 +0000 +++ freeipa-3.3.4/debian/changelog 2014-04-10 08:57:56.000000000 +0000 @@ -1,3 +1,14 @@ +freeipa (3.3.4-0ubuntu3) trusty; urgency=medium + + * Merge from unreleased debian git: + Fix ipa-client-install issues (LP: #1282818) + - fix auth platform module + - use new pykerberos api + - don't install a default conf + - use sqlite-based nssdb's instead of old + + -- Timo Aaltonen Thu, 10 Apr 2014 11:57:53 +0300 + freeipa (3.3.4-0ubuntu2) trusty; urgency=medium * Update build-deps for the xmlrpc-c 1.33.06 transition. @@ -60,4 +71,9 @@ - check-dbus-before-starting.diff: Check to see if dbus is running before attempting to start it + [ Timo Aaltonen ] + * use-new-nssdb.diff: Use sqlite-based nssdb's instead of old. + * control: Add python-dnspython and python-ldap to python-freeipa + Depends. + -- Timo Aaltonen Tue, 01 Nov 2011 10:52:25 -0400 diff -Nru freeipa-3.3.4/debian/control freeipa-3.3.4/debian/control --- freeipa-3.3.4/debian/control 2014-03-22 17:07:47.000000000 +0000 +++ freeipa-3.3.4/debian/control 2014-04-10 08:57:35.000000000 +0000 @@ -1,8 +1,8 @@ Source: freeipa Section: net Priority: extra -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Ubuntu FreeIPA +Maintainer: Ubuntu FreeIPA +XSBC-Original-Maintainer: Debian FreeIPA Team Uploaders: Timo Aaltonen Build-Depends: quilt, debhelper (>= 9), dh-autoreconf, # client @@ -34,6 +34,7 @@ python-support, # server 389-ds-base-dev (>= 1.1.3), + libkrad-dev, libsss-idmap-dev, libsss-nss-idmap-dev, libsvrcore-dev, @@ -60,7 +61,6 @@ python-freeipa (= ${binary:Version}), bind9utils, certmonger, - keyutils, krb5-user, libcurl3 (>= 7.22.0), libnss3-tools, @@ -88,7 +88,10 @@ Depends: ${shlibs:Depends}, ${python:Depends}, ${misc:Depends}, gnupg, iproute, + keyutils, + python-dnspython, python-kerberos, + python-ldap, python-libipa-hbac, python-lxml, python-netaddr, diff -Nru freeipa-3.3.4/debian/freeipa-client.dirs freeipa-3.3.4/debian/freeipa-client.dirs --- freeipa-3.3.4/debian/freeipa-client.dirs 2014-02-18 14:10:48.000000000 +0000 +++ freeipa-3.3.4/debian/freeipa-client.dirs 2014-04-10 08:57:38.000000000 +0000 @@ -1 +1,2 @@ +etc/ipa var/lib/ipa-client/sysrestore diff -Nru freeipa-3.3.4/debian/patches/add-debian-platform.diff freeipa-3.3.4/debian/patches/add-debian-platform.diff --- freeipa-3.3.4/debian/patches/add-debian-platform.diff 2014-02-18 14:10:48.000000000 +0000 +++ freeipa-3.3.4/debian/patches/add-debian-platform.diff 2014-04-10 08:57:38.000000000 +0000 @@ -52,7 +52,8 @@ +check_selinux_status = redhat.check_selinux_status --- /dev/null +++ b/ipapython/platform/debian/auth.py -@@ -0,0 +1,42 @@ +@@ -0,0 +1,33 @@ ++from ipapython import ipautil +from ipapython.platform import base + +class DebianAuthConfig(base.AuthConfig): @@ -70,30 +71,20 @@ + """ + + def __build_args(self): -+ args = ['--force'] ++ args = ['--force', '--package'] + for (option, value) in self.parameters.items(): + if option == "sssdauth": + option = "sss" -+ # only sssd supported, filter the dupe -+ elif option in ["sssd", "krb5", "ldap", "update"]: -+ option = "" -+ if type(value) is bool: -+ if value: -+ if not "package" in args: -+ args.append("--package %s" % (option)) -+ else: -+ args.append("%s" % (option)) -+ else: -+ if not any("remove" in s for s in args): -+ args.append("--remove %s" % (option)) -+ else: -+ args.append("%s" % (option)) -+ ++ if type(value) is bool and not value: ++ if not any("remove" in s for s in args): ++ args.append("--remove") ++ args.append("%s" % (option)) ++ return args + + def execute(self): -+ env = "DEBCONF_FRONTEND=noninteractive" ++ env = {"DEBCONF_FRONTEND" : "noninteractive"} + args = self.__build_args() -+ ipautil.run(["/usr/sbin/pam-auth-update"]+args,env) ++ ipautil.run(["/usr/sbin/pam-auth-update"] + args, env = env) + --- /dev/null +++ b/ipapython/platform/debian/service.py diff -Nru freeipa-3.3.4/debian/patches/fix-pykerberos-api.diff freeipa-3.3.4/debian/patches/fix-pykerberos-api.diff --- freeipa-3.3.4/debian/patches/fix-pykerberos-api.diff 1970-01-01 00:00:00.000000000 +0000 +++ freeipa-3.3.4/debian/patches/fix-pykerberos-api.diff 2014-04-10 08:57:38.000000000 +0000 @@ -0,0 +1,11 @@ +--- a/ipalib/rpc.py ++++ b/ipalib/rpc.py +@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport): + service = "HTTP@" + host.split(':')[0] + + try: +- (rc, vc) = kerberos.authGSSClientInit(service, self.flags) ++ (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags) + except kerberos.GSSError, e: + self._handle_exception(e) + diff -Nru freeipa-3.3.4/debian/patches/include-ldflags-otpd.diff freeipa-3.3.4/debian/patches/include-ldflags-otpd.diff --- freeipa-3.3.4/debian/patches/include-ldflags-otpd.diff 1970-01-01 00:00:00.000000000 +0000 +++ freeipa-3.3.4/debian/patches/include-ldflags-otpd.diff 2014-04-04 08:46:42.000000000 +0000 @@ -0,0 +1,21 @@ +commit 75dadc1d8ffc3ac84c4b1988c266ef60de1a6cfe +Author: Jan Cholasta +Date: Wed Dec 4 18:39:44 2013 +0100 + + Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file. + + Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd. + + https://fedorahosted.org/freeipa/ticket/3896 + +diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am +index f0b7528..ed99c3e 100644 +--- a/daemons/ipa-otpd/Makefile.am ++++ b/daemons/ipa-otpd/Makefile.am +@@ -1,5 +1,5 @@ + AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ +-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now ++AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ + + noinst_HEADERS = internal.h + libexec_PROGRAMS = ipa-otpd diff -Nru freeipa-3.3.4/debian/patches/series freeipa-3.3.4/debian/patches/series --- freeipa-3.3.4/debian/patches/series 2014-02-18 14:18:45.000000000 +0000 +++ freeipa-3.3.4/debian/patches/series 2014-04-10 08:33:27.000000000 +0000 @@ -15,3 +15,7 @@ fix-symlink-exclusion.diff check-dbus-before-starting.diff add-debian-platform.diff +use-new-nssdb.diff + +include-ldflags-otpd.diff +fix-pykerberos-api.diff diff -Nru freeipa-3.3.4/debian/patches/use-new-nssdb.diff freeipa-3.3.4/debian/patches/use-new-nssdb.diff --- freeipa-3.3.4/debian/patches/use-new-nssdb.diff 1970-01-01 00:00:00.000000000 +0000 +++ freeipa-3.3.4/debian/patches/use-new-nssdb.diff 2014-04-10 08:57:38.000000000 +0000 @@ -0,0 +1,49 @@ +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -201,7 +201,7 @@ def log_service_error(name, action, erro + root_logger.error("%s failed to %s: %s", name, action, str(error)) + + def nickname_exists(nickname): +- (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False) ++ (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "sql:/etc/pki/nssdb", "-n", nickname], raiseonerr=False) + + if returncode == 0: + return True +@@ -365,7 +365,7 @@ def uninstall(options, env): + # Remove our host cert and CA cert + if nickname_exists("IPA CA"): + try: +- run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) ++ run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA"]) + except Exception, e: + root_logger.error( + "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e)) +@@ -393,7 +393,7 @@ def uninstall(options, env): + + if nickname_exists(client_nss_nickname): + try: +- run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) ++ run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", client_nss_nickname]) + except Exception, e: + root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s", + client_nss_nickname, str(e)) +@@ -2297,7 +2297,7 @@ def install(options, env, fstore, states + + # Add the CA to the default NSS database and trust it + try: +- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) ++ run(["/usr/bin/certutil", "-A", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) + except CalledProcessError, e: + root_logger.info("Failed to add CA to the default NSS database.") + return CLIENT_INSTALL_ERROR +--- a/ipalib/rpc.py ++++ b/ipalib/rpc.py +@@ -322,7 +322,7 @@ class SSLTransport(LanguageAwareTranspor + if self._connection and host == self._connection[0]: + return self._connection[1] + +- dbdir = '/etc/pki/nssdb' ++ dbdir = 'sql:/etc/pki/nssdb' + no_init = self.__nss_initialized(dbdir) + if sys.version_info < (2, 7): + conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) diff -Nru freeipa-3.3.4/debian/python-freeipa.install freeipa-3.3.4/debian/python-freeipa.install --- freeipa-3.3.4/debian/python-freeipa.install 2014-02-18 14:10:48.000000000 +0000 +++ freeipa-3.3.4/debian/python-freeipa.install 2014-04-10 08:33:27.000000000 +0000 @@ -7,4 +7,3 @@ usr/lib/python*/dist-packages/ipapython-*.egg-info usr/lib/python*/dist-packages/python_default_encoding-*.egg-info usr/share/locale -etc/ipa/default.conf diff -Nru freeipa-3.3.4/debian/rules freeipa-3.3.4/debian/rules --- freeipa-3.3.4/debian/rules 2014-02-18 14:18:45.000000000 +0000 +++ freeipa-3.3.4/debian/rules 2014-04-10 08:57:35.000000000 +0000 @@ -60,8 +60,6 @@ make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client-install DESTDIR=$(DESTDIR) endif - touch $(DESTDIR)/etc/ipa/default.conf - # purge .la files find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \; # purge precompiled .pyc/.pyo files