debian/0000775000000000000000000000000012370371336007175 5ustar debian/patches/0000775000000000000000000000000012370170110010607 5ustar debian/patches/prefix.patch0000664000000000000000000000215212370157252013141 0ustar Author: Timo Aaltonen Date: Mon Jan 2 16:09:40 2012 +0200 use the debian layout when installing python modules --- a/Makefile +++ b/Makefile @@ -153,7 +153,7 @@ server-install: server if [ "$(DESTDIR)" = "" ]; then \ $(PYTHON) setup.py install; \ else \ - $(PYTHON) setup.py install --root $(DESTDIR); \ + $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \ fi tests: version-update tests-man-autogen --- a/ipapython/Makefile +++ b/ipapython/Makefile @@ -14,7 +14,7 @@ install: if [ "$(DESTDIR)" = "" ]; then \ python setup.py install; \ else \ - python setup.py install --root $(DESTDIR); \ + python setup.py install --root $(DESTDIR) --install-layout=deb; \ fi @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ --- a/ipapython/py_default_encoding/Makefile +++ b/ipapython/py_default_encoding/Makefile @@ -9,7 +9,7 @@ install: if [ "$(DESTDIR)" = "" ]; then \ python setup.py install; \ else \ - python setup.py install --root $(DESTDIR); \ + python setup.py install --root $(DESTDIR) --install-layout=deb; \ fi clean: debian/patches/no-testcert.patch0000664000000000000000000000052412370157252014114 0ustar Author: Timo Aaltonen Date: Tue Nov 1 11:48:27 2011 -0400 Add no-testcert.patch to not fail make-testcert. they need a working certificate server running --- a/Makefile +++ b/Makefile @@ -102,7 +102,7 @@ lint: bootstrap-autogen test: - ./make-testcert +# ./make-testcert ./make-test release-update: debian/patches/dont-search-platform-path.diff0000664000000000000000000000067412370157252016447 0ustar --- a/ipapython/py_default_encoding/setup.py +++ b/ipapython/py_default_encoding/setup.py @@ -22,7 +22,7 @@ from distutils.sysconfig import get_pyth import sys import os -python_header = os.path.join(get_python_inc(plat_specific=1), 'Python.h') +python_header = os.path.join(get_python_inc(plat_specific=0), 'Python.h') if not os.path.exists(python_header): sys.exit("Cannot find Python development packages that provide Python.h") debian/patches/correct-python-path.diff0000664000000000000000000000055512370157252015374 0ustar --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ ifneq ($(DEVELOPER_MODE),0) LINT_OPTIONS=--no-fail endif -PYTHON ?= $(shell rpm -E %__python) +PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python) # Uncomment to increase Java stack size for Web UI build in case it fails # because of stack overflow exception. Default should be OK for most platforms. debian/patches/fix-symlink-exclusion.diff0000664000000000000000000000161512370157252015741 0ustar Description: Don't exclude symlinks when loading plugins FreeIPA uses custom helpers to enumerate and load plugins. These plugins, provided by the ipalib module, are excluded due to being symlinked in from /usr/lib/pyshared as part of the dh_python2 installation process. . This change can probably be submitted upstream, but I have no idea why the original author would exclude symlinks in the first place, nor why a custom loader is being used. Author: Nick Hatch Last-Update: 2013-03-20 --- freeipa.orig/ipalib/util.py +++ freeipa/ipalib/util.py @@ -81,7 +81,7 @@ if not name.endswith(suffix): continue pyfile = os.path.join(src_dir, name) - if os.path.islink(pyfile) or not os.path.isfile(pyfile): + if not os.path.isfile(pyfile): continue module = name[:-len(suffix)] if module == '__init__': debian/patches/series0000664000000000000000000000073212370160260012033 0ustar # not upstreamable no-testcert.patch prefix.patch no-test-lang.diff fix-install-layout.diff fix-ntpdate-opts.diff fix-ldap-conf-path.diff port-ipa-client-automount.diff dont-check-for-systemd-pc.diff fix-portability-of-nss.diff # send upstream correct-python-path.diff dont-search-platform-path.diff fix-symlink-exclusion.diff check-dbus-before-starting.diff add-debian-platform.diff use-new-nssdb.diff include-ldflags-otpd.diff fix-pykerberos-api.diff fix-ntp-paths.diff debian/patches/fix-ntpdate-opts.diff0000664000000000000000000000077512370157252014674 0ustar Our ntp isn't patched to drop privileges. --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -147,7 +147,7 @@ def synconce_ntp(server_fqdn): if os.path.exists(ntpdate): # retry several times -- logic follows /etc/init.d/ntpdate # implementation - cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn] + cmd = [ntpdate, "-s", "-b", "-v", server_fqdn] for retry in range(0, 3): try: ipautil.run(cmd) debian/patches/fix-pykerberos-api.diff0000664000000000000000000000060712370157252015200 0ustar --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -380,7 +380,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service, self.flags) + (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags) except kerberos.GSSError, e: self._handle_exception(e) debian/patches/dont-check-for-systemd-pc.diff0000664000000000000000000000154012356761121016346 0ustar avoid build-dependency on systemd, which doesn't exist on ubuntu diff --git a/daemons/configure.ac b/daemons/configure.ac index e57dad2..9ca5198 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -232,7 +232,7 @@ PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) dnl --------------------------------------------------------------------------- dnl - Check for systemd unit directory dnl --------------------------------------------------------------------------- -PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])]) +dnl PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])]) AC_ARG_WITH([systemdsystemunitdir], AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]), [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)]) debian/patches/fix-install-layout.diff0000664000000000000000000000066712370157252015233 0ustar --- a/Makefile +++ b/Makefile @@ -82,9 +82,9 @@ client-install: client client-dirs done cd install/po && $(MAKE) install || exit 1; if [ "$(DESTDIR)" = "" ]; then \ - $(PYTHON) setup-client.py install; \ + $(PYTHON) setup-client.py install --install-layout=deb; \ else \ - $(PYTHON) setup-client.py install --root $(DESTDIR); \ + $(PYTHON) setup-client.py install --install-layout=deb --root $(DESTDIR); \ fi client-dirs: debian/patches/add-debian-platform.diff0000664000000000000000000002012112370170110015227 0ustar commit b076743f2cdd3a3cb9e8d0e8be7be8c90160fc21 Author: Timo Aaltonen Date: Fri Mar 1 12:21:00 2013 +0200 add debian platform support --- /dev/null +++ b/ipapython/platform/debian/__init__.py @@ -0,0 +1,43 @@ +import os + +from ipapython.platform import base, redhat, fedora18 +from ipapython.platform.debian.auth import DebianAuthConfig +from ipapython.platform.debian.service import debian_service, DebianServices + +# All what we allow exporting directly from this module +# Everything else is made available through these symbols when they are +# directly imported into ipapython.services: +# +# authconfig -- class reference for platform-specific implementation of +# authconfig(8) +# service -- class reference for platform-specific implementation of a +# PlatformService class +# knownservices -- factory instance to access named services IPA cares about, +# names are ipapython.services.wellknownservices +# backup_and_replace_hostname -- platform-specific way to set hostname and +# make it persistent over reboots +# restore_network_configuration -- platform-specific way of restoring network +# configuration (e.g. static hostname) +# restore_context -- platform-sepcific way to restore security context, if +# applicable +# check_selinux_status -- platform-specific way to see if SELinux is enabled +# and restorecon is installed. +__all__ = ['authconfig', 'service', 'knownservices', + 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status', + 'restore_network_configuration', 'timedate_services'] + +# Just copy a referential list of timedate services +timedate_services = list(base.timedate_services) + +def restore_network_configuration(fstore, statestore): + filepath = '/etc/hostname' + if fstore.has_file(filepath): + fstore.restore_file(filepath) + hostname_was_configured = True + +authconfig = DebianAuthConfig +service = debian_service +knownservices = DebianServices() +backup_and_replace_hostname = fedora18.backup_and_replace_hostname +restore_context = redhat.restore_context +check_selinux_status = redhat.check_selinux_status --- /dev/null +++ b/ipapython/platform/debian/auth.py @@ -0,0 +1,33 @@ +from ipapython import ipautil +from ipapython.platform import base + +class DebianAuthConfig(base.AuthConfig): + """ + Debian implementation of the AuthConfig class. + + Debian doesn't provide a single application for changing both + nss and pam configuration. PAM can be configured using debconf but there + is currently no such solution for updating NSS database and every package + does it by itself. + + We'll have to play a catch-up game with the rest of the FreeIPA project + filtering out .enable() and .disable() calls that are useless for us, + and making the best out of the rest of them. + """ + + def __build_args(self): + args = ['--force', '--package'] + for (option, value) in self.parameters.items(): + if option == "sssdauth": + option = "sss" + if type(value) is bool and not value: + if not any("remove" in s for s in args): + args.append("--remove") + args.append("%s" % (option)) + return args + + def execute(self): + env = {"DEBCONF_FRONTEND" : "noninteractive"} + args = self.__build_args() + ipautil.run(["/usr/sbin/pam-auth-update"] + args, env = env) + --- /dev/null +++ b/ipapython/platform/debian/service.py @@ -0,0 +1,111 @@ +import time + +from ipapython import ipautil +from ipapython.ipa_log_manager import root_logger +from ipapython.platform import base +from ipalib import api + +class DebianService(base.PlatformService): + def __wait_for_open_ports(self, instance_name=""): + """ + If this is a service we need to wait for do so. + """ + ports = None + if instance_name in base.wellknownports: + ports = base.wellknownports[instance_name] + else: + if self.service_name in base.wellknownports: + ports = base.wellknownports[self.service_name] + if ports: + ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout) + def stop(self, instance_name='', capture_output=True): + ipautil.run(["/usr/sbin/service", self.service_name, "stop", + instance_name], capture_output=capture_output) + if 'context' in api.env and api.env.context in ['ipactl', 'installer']: + update_service_list = True + else: + update_service_list = False + super(DebianService, self).stop(instance_name) + + def start(self, instance_name='', capture_output=True, wait=True): + ipautil.run(["/usr/sbin/service", self.service_name, "start", + instance_name], capture_output=capture_output) + if 'context' in api.env and api.env.context in ['ipactl', 'installer']: + update_service_list = True + else: + update_service_list = False + if wait and self.is_running(instance_name): + self.__wait_for_open_ports(instance_name) + super(DebianService, self).start(instance_name) + + def restart(self, instance_name='', capture_output=True, wait=True): + ipautil.run(["/usr/sbin/service", self.service_name, "restart", + instance_name], capture_output=capture_output) + if wait and self.is_running(instance_name): + self.__wait_for_open_ports(instance_name) + + def is_running(self, instance_name=""): + ret = True + try: + (sout, serr, rcode) = ipautil.run(["/usr/sbin/service", + self.service_name, "status", + instance_name]) + if sout.find("NOT running") >= 0: + ret = False + if sout.find("stop") >= 0: + ret = False + except ipautil.CalledProcessError: + ret = False + return ret + + def is_installed(self): + installed = True + try: + ipautil.run(["/usr/sbin/service", self.service_name, "status"]) + except ipautil.CalledProcessError, e: + if e.returncode == 1: + # service is not installed or there is other serious issue + installed = False + return installed + + def is_enabled(self, instance_name=""): + # Services are always assumed to be enabled when installed + # exept chronyd, which conflicts with ntp + if self.service_name == "chronyd": + return False + else: + return True + + def enable(self): + return True + + def disable(self): + return True + + def install(self): + return True + + def remove(self): + return True + +class DebianSSHService(DebianService): + def get_config_dir(self, instance_name=""): + return '/etc/ssh' + +def debian_service(name): + if name == 'sshd': + return DebianSSHService(name) + return DebianService(name) + +class DebianServices(base.KnownServices): + def __init__(self): + services = dict() + for s in base.wellknownservices: + if s == "messagebus": + services[s] = debian_service("dbus") + elif s == "ntpd": + services[s] = debian_service("ntp") + else: + services[s] = debian_service(s) + # Call base class constructor. This will lock services to read-only + super(DebianServices, self).__init__(services) --- a/ipapython/setup.py.in +++ b/ipapython/setup.py.in @@ -68,6 +68,7 @@ def setup_package(): packages = [ "ipapython", "ipapython.platform", "ipapython.platform.base", + "ipapython.platform.debian", "ipapython.platform.fedora16", "ipapython.platform.fedora18", "ipapython.platform.redhat" ], debian/patches/include-ldflags-otpd.diff0000664000000000000000000000144712370157252015464 0ustar commit 75dadc1d8ffc3ac84c4b1988c266ef60de1a6cfe Author: Jan Cholasta Date: Wed Dec 4 18:39:44 2013 +0100 Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file. Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd. https://fedorahosted.org/freeipa/ticket/3896 diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index f0b7528..ed99c3e 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -1,5 +1,5 @@ AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now +AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h libexec_PROGRAMS = ipa-otpd debian/patches/fix-ldap-conf-path.diff0000664000000000000000000000070712370157252015042 0ustar --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -854,7 +854,7 @@ def configure_openldap_conf(fstore, cli_ {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option', 'value':CACERT},] - target_fname = '/etc/openldap/ldap.conf' + target_fname = '/etc/ldap/ldap.conf' fstore.backup_file(target_fname) error_msg = "Configuring {path} failed with: {err}" debian/patches/check-dbus-before-starting.diff0000664000000000000000000000236412370157252016563 0ustar --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -372,10 +372,11 @@ def uninstall(options, env): # Always start certmonger. We can't untrack something if it isn't # running messagebus = ipaservices.knownservices.messagebus - try: - messagebus.start() - except Exception, e: - log_service_error(messagebus.service_name, 'start', e) + if not messagebus.is_running(): + try: + messagebus.start() + except Exception, e: + log_service_error(messagebus.service_name, 'start', e) cmonger = ipaservices.knownservices.certmonger try: @@ -970,10 +971,11 @@ def configure_certmonger(fstore, subject principal = 'host/%s@%s' % (hostname, cli_realm) messagebus = ipaservices.knownservices.messagebus - try: - messagebus.start() - except Exception, e: - log_service_error(messagebus.service_name, 'start', e) + if not messagebus.is_running(): + try: + messagebus.start() + except Exception, e: + log_service_error(messagebus.service_name, 'start', e) # Ensure that certmonger has been started at least once to generate the # cas files in /var/lib/certmonger/cas. debian/patches/port-ipa-client-automount.diff0000664000000000000000000000166112370157252016521 0ustar diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 3952642..e7b843e 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -39,10 +39,10 @@ from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipapython import services as ipaservices -AUTOFS_CONF = '/etc/sysconfig/autofs' +AUTOFS_CONF = '/etc/default/autofs' NSSWITCH_CONF = '/etc/nsswitch.conf' AUTOFS_LDAP_AUTH = '/etc/autofs_ldap_auth.conf' -NFS_CONF = '/etc/sysconfig/nfs' +NFS_CONF = '/etc/default/nfs-common' IDMAPD_CONF = '/etc/idmapd.conf' def parse_options(): @@ -309,7 +309,7 @@ def configure_nfs(fstore, statestore): Configure secure NFS """ replacevars = { - 'SECURE_NFS': 'yes', + 'NEED_GSSD': 'yes', } ipautil.backup_config_and_replace_variables(fstore, NFS_CONF, replacevars=replacevars) debian/patches/fix-ntp-paths.diff0000664000000000000000000000247212370160600014153 0ustar --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -604,7 +604,7 @@ def uninstall(options, env): # to this version but not unenrolled/enrolled again # In such case it is OK to fail restored = fstore.restore_file("/etc/ntp.conf") - restored |= fstore.restore_file("/etc/sysconfig/ntpd") + restored |= fstore.restore_file("/etc/default/ntp") if ntp_step_tickers: restored |= fstore.restore_file("/etc/ntp/step-tickers") except Exception: --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -98,7 +98,7 @@ def __write_config(path, content): def config_ntp(server_fqdn, fstore = None, sysstore = None): path_step_tickers = "/etc/ntp/step-tickers" path_ntp_conf = "/etc/ntp.conf" - path_ntp_sysconfig = "/etc/sysconfig/ntpd" + path_ntp_sysconfig = "/etc/default/ntp" sub_dict = { } sub_dict["SERVER"] = server_fqdn --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -202,7 +202,7 @@ Files that will be replaced if they exis Files replaced if NTP is enabled: /etc/ntp.conf\p -/etc/sysconfig/ntpd\p +/etc/default/ntp\p /etc/ntp/step\-tickers\p .TP Files always created (replacing existing content): debian/patches/no-test-lang.diff0000664000000000000000000000033412370157252013765 0ustar --- a/Makefile +++ b/Makefile @@ -98,7 +98,7 @@ client-dirs: lint: bootstrap-autogen ./make-lint $(LINT_OPTIONS) - $(MAKE) -C install/po validate-src-strings +# $(MAKE) -C install/po validate-src-strings test: debian/patches/fix-portability-of-nss.diff0000664000000000000000000000413712370157252016013 0ustar From 2d9e290970e71d373b91cd0cd1db52b991636889 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 28 Nov 2013 15:32:07 +0100 Subject: [PATCH] BUILD: Fix portability of NSS in file ipa_pwd.c --- daemons/ipa-kdb/Makefile.am | 4 +++- daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 + util/ipa_pwd.c | 8 ++++---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index dc543dd..b3d6a1b 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -21,6 +21,7 @@ AM_CPPFLAGS = \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ $(NDRPAC_CFLAGS) \ + $(NSS_CFLAGS) \ $(NULL) plugindir = $(libdir)/krb5/plugins/kdb @@ -51,6 +52,7 @@ ipadb_la_LIBADD = \ $(LDAP_LIBS) \ $(NDRPAC_LIBS) \ $(UNISTRING_LIBS) \ + $(NSS_LIBS) \ $(NULL) if HAVE_CHECK @@ -77,7 +79,7 @@ ipa_kdb_tests_LDADD = \ $(KRB5_LIBS) \ $(LDAP_LIBS) \ $(NDRPAC_LIBS) \ - -lnss3 \ + $(NSS_LIBS) \ -lkdb5 \ -lsss_idmap \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index b53b2e1..3323d72 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -22,6 +22,7 @@ AM_CPPFLAGS = \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ + $(NSS_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c index 761d1ef..f6564c8 100644 --- a/util/ipa_pwd.c +++ b/util/ipa_pwd.c @@ -27,10 +27,10 @@ #include #include #include -#include -#include -#include -#include +#include +#include +#include +#include #include #include "ipa_pwd.h" -- 1.8.4.2 debian/patches/use-new-nssdb.diff0000664000000000000000000000463012370157252014152 0ustar --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -201,7 +201,7 @@ def log_service_error(name, action, erro root_logger.error("%s failed to %s: %s", name, action, str(error)) def nickname_exists(nickname): - (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False) + (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "sql:/etc/pki/nssdb", "-n", nickname], raiseonerr=False) if returncode == 0: return True @@ -365,7 +365,7 @@ def uninstall(options, env): # Remove our host cert and CA cert if nickname_exists("IPA CA"): try: - run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) + run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA"]) except Exception, e: root_logger.error( "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e)) @@ -393,7 +393,7 @@ def uninstall(options, env): if nickname_exists(client_nss_nickname): try: - run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) + run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", client_nss_nickname]) except Exception, e: root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s", client_nss_nickname, str(e)) @@ -2297,7 +2297,7 @@ def install(options, env, fstore, states # Add the CA to the default NSS database and trust it try: - run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) + run(["/usr/bin/certutil", "-A", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) except CalledProcessError, e: root_logger.info("Failed to add CA to the default NSS database.") return CLIENT_INSTALL_ERROR --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -322,7 +322,7 @@ class SSLTransport(LanguageAwareTranspor if self._connection and host == self._connection[0]: return self._connection[1] - dbdir = '/etc/pki/nssdb' + dbdir = 'sql:/etc/pki/nssdb' no_init = self.__nss_initialized(dbdir) if sys.version_info < (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) debian/source/0000775000000000000000000000000012370157252010474 5ustar debian/source/format0000664000000000000000000000001512356761121011703 0ustar 3.0 (quilt) debian/control0000664000000000000000000000506412370157252010604 0ustar Source: freeipa Section: net Priority: extra Maintainer: Ubuntu FreeIPA XSBC-Original-Maintainer: Debian FreeIPA Team Uploaders: Timo Aaltonen Build-Depends: quilt, debhelper (>= 9), dh-autoreconf, # client gettext, krb5-user, libcurl4-nss-dev, libkrb5-dev (>= 1.12), libldap2-dev, libnss3-dev, libnspr4-dev, libpopt-dev, libsasl2-dev, libssl-dev, libtalloc-dev, libxmlrpc-core-c3-dev, python-all-dev, python-dnspython, python-kerberos, python-krbv, python-ldap, python-libipa-hbac, python-memcache, python-netaddr, python-nss, python-openssl, python-polib, python-setuptools, python-sss (>= 1.8.0), python-support, # server 389-ds-base-dev (>= 1.1.3), libkrad-dev, libsss-idmap-dev, libsss-nss-idmap-dev, libsvrcore-dev, libtevent-dev, libunistring-dev, libverto-dev, rhino, samba-dev, selinux-policy-dev, uuid-dev, # tests check, libcmocka-dev, python-lxml, python-nose, Standards-Version: 3.9.3 Vcs-Git: git://git.debian.org/git/pkg-freeipa/freeipa.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-freeipa/freeipa.git Homepage: http://www.freeipa.org Package: freeipa-client Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, python-freeipa (= ${binary:Version}), bind9utils, certmonger, krb5-user, libcurl3 (>= 7.22.0), libnss3-tools, libsasl2-modules-gssapi-mit, libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5), ntp, python-dnspython, python-ldap, python-krbv, sssd (>= 1.9.2), wget, Suggests: libpam-krb5, Description: FreeIPA centralized identity framework -- client FreeIPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). . This is the client package. Package: python-freeipa Architecture: any Section: python Depends: ${shlibs:Depends}, ${python:Depends}, ${misc:Depends}, gnupg, iproute, keyutils, python-dnspython, python-kerberos, python-ldap, python-libipa-hbac, python-lxml, python-netaddr, python-nss, python-openssl, Description: FreeIPA centralized identity framework -- python modules FreeIPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). . This Python module is used by other FreeIPA packages. debian/changelog0000664000000000000000000000644012370371327011053 0ustar freeipa (3.3.4-0ubuntu3.1) trusty-proposed; urgency=medium * fix-ntp-paths.diff: Don't use fedora paths for ntpd options. (LP: #1309655) * add-debian-platform.diff: Let testing chronyd always return false, since the package already conflicts with ntp so can't be installed/enabled at the same time. Allows configuring ntpd without forcing it. (LP: #1309655) -- Timo Aaltonen Tue, 05 Aug 2014 18:59:50 +0300 freeipa (3.3.4-0ubuntu3) trusty; urgency=medium * Merge from unreleased debian git: Fix ipa-client-install issues (LP: #1282818) - fix auth platform module - use new pykerberos api - don't install a default conf - use sqlite-based nssdb's instead of old -- Timo Aaltonen Thu, 10 Apr 2014 11:57:53 +0300 freeipa (3.3.4-0ubuntu2) trusty; urgency=medium * Update build-deps for the xmlrpc-c 1.33.06 transition. -- Adam Conrad Sat, 22 Mar 2014 11:07:49 -0600 freeipa (3.3.4-0ubuntu1) trusty; urgency=low * Merge from unreleased debian git. -- Timo Aaltonen Tue, 03 Sep 2013 17:13:27 +0300 freeipa (3.3.4-1) UNRELEASED; urgency=low [ Michele Baldessari ] * Initial release (Closes: #734703) * New upstream * Dropped 10_ipa_kpasswd patch, applied upstream [ Timo Aaltonen ] * New upstream release. * Remove radius subpackages. * Migrate to source format 3.0 (quilt). * Migrate to dh. * Fix dependencies. * Add no-testcert.patch to not fail make-testcert. * Bump compat and debhelper build-depends to 9. * Add missing files to freeipa.install. * Add --fail-missing for dh_install. * copyright: Updated, with OpenSSL exception. * control: Add python-libipa-hbac to build-depends. * control: Add ${shlibs:Depends} to python-freeipa depends. * rules: Strip the executable bit from translation files. * Use dh_python2. * Add DEP-3 compliant headers to the patches. * control: client; Move libpam-krb5 to Suggests. * control: Update the maintainer address and repo location. * control: Fix package descriptions. * control: Add python-krbv, python-dnspython, keyutils to client depends. * Add no-test-lang.diff, test_lang is gone. * correct-python-path.diff: Fallback on the correct path if rpm query fails. * dont-search-platform-path.diff: Don't use Python.h from the platform specific path. * fix-install-layout.diff: Pass an option to setup-client.py to install the python bits to the correct path. * fix-ntpdate-opts.diff: Drop -U from nptdate opts, we don't have that. * Add support for Debian platform. * port-ipa-client-automount.diff: Patch i-c-a so it works on Debian. * rules: Don't run tests on server either, would never work during package build. [ Nick Hatch ] * Added three patches - fix-symlink-exclusion.diff: Don't exclude symlinks when loading plugins - fix-ldap-conf-path.diff: Patch client installer to use correct LDAP conf path. - check-dbus-before-starting.diff: Check to see if dbus is running before attempting to start it [ Timo Aaltonen ] * use-new-nssdb.diff: Use sqlite-based nssdb's instead of old. * control: Add python-dnspython and python-ldap to python-freeipa Depends. -- Timo Aaltonen Tue, 01 Nov 2011 10:52:25 -0400 debian/freeipa-server-trust-ad.install0000664000000000000000000000057212370157252015250 0ustar usr/sbin/ipa-adtrust-install usr/lib/*/dirsrv/plugins/libipa_extdom_extop.so usr/lib/*/dirsrv/plugins/libipa_sidgen.so usr/lib/*/dirsrv/plugins/libipa_sidgen_task.so usr/lib/*/samba/pdb/ipasam.so usr/lib/python*/dist-packages/ipaserver/dcerpc usr/lib/python*/dist-packages/ipaserver/install/adtrustinstance* usr/share/ipa/smb.conf.empty usr/share/man/man1/ipa-adtrust-install.1 debian/freeipa-client.dirs0000664000000000000000000000004612356761121012746 0ustar etc/ipa var/lib/ipa-client/sysrestore debian/freeipa-server.docs0000664000000000000000000000000712356761121012762 0ustar README debian/rules0000775000000000000000000000427112370157252010260 0ustar #!/usr/bin/make -f # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 ONLY_CLIENT=1 DESTDIR=$(CURDIR)/debian/tmp PLATFORM="SUPPORTED_PLATFORM=debian" override_dh_auto_clean: for i in daemons install ipapython ipaserver ipa-client; do \ (cd $$i && [ ! -f Makefile ] || $(MAKE) distclean); \ (cd $$i && rm -f COPYING INSTALL depcomp install-sh missing py-compile config.guess config.sub aclocal.m4 config.h.in version.m4); \ done find . -name "*.pyo" -o -name "*.pyc" -type f -exec rm -f "{}" \; find . -name "ltmain.sh" -exec rm -f "{}" \; find . -name "configure" -exec rm -f "{}" \; rm -rf daemons/ipa-version.h freeipa.spec freeipa.egg-info ipa-client/ipa-client.spec version.m4 rm -rf ipapython/build RELEASE build dh_clean rm -rf $(DESTDIR) override_dh_autoreconf: make IPA_VERSION_IS_GIT_SNAPSHOT=no version-update dh_autoreconf; cd .. override_dh_auto_configure: dh_auto_configure -Dipa-client ifneq ($(ONLY_CLIENT), 1) dh_auto_configure -Ddaemons -- \ --with-openldap \ --with-systemdsystemunitdir=/lib/systemd/system dh_auto_configure -Dinstall endif override_dh_auto_build: ifneq ($(ONLY_CLIENT), 1) make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no all # cd selinux ; make all else make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client endif # tests would just fail, they need a proper environment with 389 running et al override_dh_auto_test: override_dh_auto_install: ifneq ($(ONLY_CLIENT), 1) # Force re-generate of platform support rm -f ipapython/services.py make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR) # cd selinux # make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR) cd .. install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa else make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client-install DESTDIR=$(DESTDIR) endif # purge .la files find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \; # purge precompiled .pyc/.pyo files find $(CURDIR)/debian/tmp -name '*.py[c,o]' -exec rm '{}' ';' # fix permissions find $(CURDIR)/debian/tmp -name "*.mo" -type f -exec chmod -x "{}" \; dh_install --list-missing %: dh $@ --with quilt,autoreconf,python2 debian/freeipa-client.install0000664000000000000000000000071612370157252013457 0ustar usr/sbin/ipa-client-automount usr/sbin/ipa-client-install usr/sbin/ipa-getkeytab usr/sbin/ipa-rmkeytab usr/sbin/ipa-join usr/share/ipa/ipaclient/ipa.cfg usr/share/ipa/ipaclient/ipa.js usr/lib/python*/dist-packages/ipaclient/*.py usr/share/man/man1/ipa-client-automount.1.gz usr/share/man/man1/ipa-client-install.1.gz usr/share/man/man1/ipa-getkeytab.1.gz usr/share/man/man1/ipa-rmkeytab.1.gz usr/share/man/man1/ipa-join.1.gz usr/share/man/man5/default.conf.5.gz debian/freeipa-server.install0000664000000000000000000000433012370157252013503 0ustar etc/ipa/html/* lib/systemd/system/ipa-otpd@.service lib/systemd/system/ipa-otpd.socket usr/lib/*/dirsrv/plugins/libipa_cldap.so usr/lib/*/dirsrv/plugins/libipa_dns.so usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so usr/lib/*/dirsrv/plugins/libipa_lockout.so usr/lib/*/dirsrv/plugins/libipa_modrdn.so usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so usr/lib/*/dirsrv/plugins/libipa_range_check.so usr/lib/*/dirsrv/plugins/libipa_repl_version.so usr/lib/*/dirsrv/plugins/libipa_uuid.so usr/lib/*/dirsrv/plugins/libipa_winsync.so usr/lib/*/ipa/certmonger/* usr/lib/*/ipa-otpd usr/lib/*/krb5/plugins/kdb/*.so usr/lib/python*/dist-packages/ipaserver/* usr/sbin/ipa-advise usr/sbin/ipa-backup usr/sbin/ipa-ca-install usr/sbin/ipa-compat-manage usr/sbin/ipa-csreplica-manage usr/sbin/ipa-dns-install usr/sbin/ipa-ldap-updater usr/sbin/ipa-managed-entries usr/sbin/ipa-nis-manage usr/sbin/ipa-replica-conncheck usr/sbin/ipa-replica-install usr/sbin/ipa-replica-manage usr/sbin/ipa-replica-prepare usr/sbin/ipa-restore usr/sbin/ipa-server-certinstall usr/sbin/ipa-server-install usr/sbin/ipa-upgradeconfig usr/sbin/ipactl usr/share/ipa/advise/legacy/*.template usr/share/ipa/copy-schema-to-ca.py usr/share/ipa/ca_renewal usr/share/ipa/ffextension/* usr/share/ipa/ipa.conf usr/share/ipa/ipa-pki-proxy.conf usr/share/ipa/ipa-rewrite.conf usr/share/ipa/*.ldif usr/share/ipa/migration/* usr/share/ipa/*.template usr/share/ipa/ui/* usr/share/ipa/*.uldif usr/share/ipa/updates/* usr/share/ipa/wsgi.py usr/share/ipa/wsgi/* usr/share/man/man1/ipa-advise.1 usr/share/man/man1/ipa-backup.1.gz usr/share/man/man1/ipa-ca-install.1.gz usr/share/man/man1/ipa-compat-manage.1.gz usr/share/man/man1/ipa-csreplica-manage.1.gz usr/share/man/man1/ipa-dns-install.1.gz usr/share/man/man1/ipa-ldap-updater.1.gz usr/share/man/man1/ipa-managed-entries.1.gz usr/share/man/man1/ipa-nis-manage.1.gz usr/share/man/man1/ipa-replica-conncheck.1.gz usr/share/man/man1/ipa-replica-install.1.gz usr/share/man/man1/ipa-replica-manage.1.gz usr/share/man/man1/ipa-replica-prepare.1.gz usr/share/man/man1/ipa-restore.1.gz usr/share/man/man1/ipa-server-certinstall.1.gz usr/share/man/man1/ipa-server-install.1.gz usr/share/man/man8/ipactl.8.gz usr/share/man/man8/ipa-upgradeconfig.8.gz var/lib/ipa/sysrestore debian/python-freeipa.install0000664000000000000000000000065712370157252013526 0ustar usr/lib/python*/dist-packages/ipalib/* usr/lib/python*/dist-packages/ipapython/*.py usr/lib/python*/dist-packages/ipapython/platform/*.py usr/lib/python*/dist-packages/ipapython/platform/*/*.py usr/lib/python*/dist-packages/default_encoding_utf8.so usr/lib/python*/dist-packages/freeipa-*.egg-info usr/lib/python*/dist-packages/ipapython-*.egg-info usr/lib/python*/dist-packages/python_default_encoding-*.egg-info usr/share/locale debian/autoreconf0000664000000000000000000000003312356761121011260 0ustar ipa-client daemons install debian/compat0000664000000000000000000000000212356761121010372 0ustar 9 debian/watch0000664000000000000000000000014112356761121010221 0ustar version=3 http://freeipa.org/page/Downloads http://freeipa.org/downloads/src/freeipa-(.+).tar.gz debian/freeipa-admintools.install0000664000000000000000000000007712356761121014352 0ustar etc/bash_completion.d/ipa usr/bin/ipa usr/share/man/man1/ipa.1 debian/freeipa-tests.install0000664000000000000000000000031212370157252013333 0ustar usr/bin/ipa-run-tests usr/bin/ipa-test-config usr/bin/ipa-test-task usr/lib/python*/ipatests/* usr/share/man/man1/ipa-run-tests.1 usr/share/man/man1/ipa-test-config.1 usr/share/man/man1/ipa-test-task.1 debian/copyright0000664000000000000000000000412512370157252011131 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-name: freeipa Source: http://freeipa.org/downloads/src/ Files: * Copyright: 1999-2011 Red Hat, Inc. License: GPL-3+ Files: daemons/ipa-slapi-plugins/*/*.c daemons/ipa-slapi-plugins/*/*.h Copyright: 2005-2010 Red Hat, Inc. License: GPL-3+ with OpenSSL exception This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . Additional permission under GPLv3 section 7: . In the following paragraph, "GPL" means the GNU General Public License, version 3 or any later version, and "Non-GPL Code" means code that is governed neither by the GPL nor a license compatible with the GPL. . You may link the code of this Program with Non-GPL Code and convey linked combinations including the two, provided that such Non-GPL Code only links to the code of this Program through those well defined interfaces identified in the file named EXCEPTION found in the source code files (the "Approved Interfaces"). The files of Non-GPL Code may instantiate templates or use macros or inline functions from the Approved Interfaces without causing the resulting work to be covered by the GPL. Only the copyright holders of this Program may make changes or additions to the list of Approved Interfaces. Files: debian/* Copyright: Michele Baldessari michele@pupazzo.org> Timo Aaltonen License: GPL-3+ License: GPL-3+ On Debian machines the full text of the GNU General Public License can be found in the file /usr/share/common-licenses/GPL-3. debian/freeipa-server.links0000664000000000000000000000047212356761121013160 0ustar /usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js /usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js /usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js