freeipa.git/ipaplatform/fedora, branch fix_ber_scanf FreeIPA patches Use nis-domainname.service on all RH platforms 2019-07-04T08:43:51+00:00 Christian Heimes cheimes@redhat.com 2019-07-03T11:18:55+00:00 d2c929270c6184022b58799b61bb640cdcdf10a8 RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for domainname service. Remove special code in ipaplatform.rhel and for Fedora < 28. Only Fedora 29+ is supported by IPA 4.8. Fixes: https://pagure.io/freeipa/issue/8004 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.

Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use system-wide crypto policy for TLS ciphers 2019-07-02T14:38:00+00:00 Christian Heimes cheimes@redhat.com 2019-07-02T07:49:59+00:00 b55344888478e2b05dc01200bed87e551aa7d00a IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's also now possible to keep the default policy by setting TLS_HIGH_CIPHERS to None. Fixes: https://pagure.io/freeipa/issue/7998 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.

Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-client-automount: handle NFS configuration file changes 2019-02-27T20:42:39+00:00 François Cami fcami@redhat.com 2019-02-26T12:59:06+00:00 c69875c8afdd877baf7139c0cd5241f70105cbd4 nfs-utils in Fedora 30 and later switched its configuration file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a conversion service (nfs-convert.service) for upgrades. However, for new installs the original configuration file is missing. This change: * adds a tuple-based osinfo.version_number method to handle more kinds of OS versioning schemes * detects RHEL and Fedora versions with the the new nfs-utils behavior * avoids backing up the new NFS configuration file as we do not have to modify it. See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981 Fixes: https://pagure.io/freeipa/issue/7868 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
  more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
  behavior
* avoids backing up the new NFS configuration file as we do
  not have to modify it.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981

Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Don't check for systemd service 2018-08-30T09:37:21+00:00 Christian Heimes cheimes@redhat.com 2018-08-29T10:58:12+00:00 1c03181e78b8f43e7bfd32e52c5b9d161c326fd6 ipaplatform no longer checks for the presence of a systemd service file to detect the name of the domainname service. Instead it uses osinfo's version to use the old name on Fedora 28 and the new name on Fedora 29. This fixes a SELinux violation that prevented httpd from listing systemd service files. Fixes: https://pagure.io/freeipa/issue/7661 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.

This fixes a SELinux violation that prevented httpd from listing systemd
service files.

Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Start to deprecate Python 2 and 3.5 2018-06-19T12:37:53+00:00 Christian Heimes cheimes@redhat.com 2018-06-12T07:03:39+00:00 f1c7d3c27839709808f67791274215fd2555ad40 Python 2 will reach EOL in 18 months. Start to issue deprecation warnings on Python 2. No longer claim support for Python 3.5. Python 3.5 is untested. NOTE: At first I tried to raise the deprecation warning from ipalib.__init__. This caused some unforseen side-effects with ipaplatform namespace package on Python 2. Eventually it was easier to raise the deprecation warning in ipaplatform. RHEL and Debian platforms don't raise the deprecation warning yet, because they use Python 2. Fixes: https://pagure.io/freeipa/issue/7568 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 
Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.

No longer claim support for Python 3.5. Python 3.5 is untested.

NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.

Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fedora 29 renamed fedora-domainname.service 2018-06-15T06:30:55+00:00 Christian Heimes cheimes@redhat.com 2018-06-11T08:09:51+00:00 907e1649580b8677d56da6207731addc178dca80 In Fedora 29, the fedora-domainname.service has been renamed to nis-domainname.service like on RHEL. The ipaplatform service module for Fedora now only renames the service, when it detects the presence of fedora-domainname.service. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192 Fixes: https://pagure.io/freeipa/issue/7582 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a 2018-04-27T12:01:33+00:00 Florence Blanc-Renaud flo@redhat.com 2018-04-26T14:54:36+00:00 e442464509049240bdb05a8bae09ce1291ca6b86 Commit d705320 was temporarily disabling authconfig backup and restore because of issue 7478. With the migration to authselect this is not needed any more Related to https://pagure.io/freeipa/issue/7377 Reviewed-By: Alexander Koksharov <akokshar@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import future imports 2018-04-20T07:43:37+00:00 Stanislav Laznicka slaznick@redhat.com 2018-04-05T07:21:16+00:00 b5bdd07bc54ca557491652ce61011ae6aa3eb592 Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Temporarily disable authconfig backup and restore 2018-04-03T06:07:46+00:00 Christian Heimes cheimes@redhat.com 2018-03-29T15:02:23+00:00 d705320ec136abc2fcf524f2b63a76d3fc0ba97a The authconfig command from authselect-compat-0.3.2-1 does not support backup and restore at all. Temporarily disable backup and restore of auth config to fix broken ipa-backup. Fixes: https://pagure.io/freeipa/issue/7478 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.

Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use system-wide crypto-policies on Fedora 2018-02-20T16:01:52+00:00 Christian Heimes cheimes@redhat.com 2018-02-09T10:50:32+00:00 90a75f0d4300126f18dabfb9ca4df59cab4d97cb HTTPS connections from IPA framework and bind named instance now use system-wide crypto-policies on Fedora. For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA, they are explicitly excluded. See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925 See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220 Fixes: https://pagure.io/freeipa/issue/4853 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>