On 03/28/2013 10:20 AM, Martin Kosek wrote:
> On 03/27/2013 10:42 AM, Tomas Babej wrote:
>> On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote:
>>> On 03/26/2013 06:32 PM, Tomas Babej wrote:
>>>> On 03/26/2013 05:38 PM, Martin Kosek wrote:
>>>>> On 03/21/2013 11:59 AM, Martin Kosek wrote:
>>>>>> This set of patches (details in commit messages) allow build and
>>>>>> installation
>>>>>> of FreeIPA in Fedora 19. I tested server and replica install
>>>>>> (master on f18,
>>>>>> replica on f19) and both worked fine.
>>>>>>
>>>>>> The patches are compatible with Fedora 18 (I tested).
>>>>>>
>>>>>> If your Fedora 19 does not have bind-9.9.2-11.P1.fc19, you may need
>>>>>> to get that
>>>>>> from koji:
>>>>>>
>>>>>> Bug 920713 - named timeouts when started via systemd
>>>>>>
>>>>>> Also, to fix trusts and ipa-adtrust-install, I had to use my custom
>>>>>> build of
>>>>>> 389-ds-base as current builds do not accepts Kerberos tickets
>>>>>> greater than 2048
>>>>>> bytes. This is the bug I filed:
>>>>>>
>>>>>> Bug 923879 - 389-ds-base cannot handle Kerberos tickets with PAC
>>>>>>
>>>>>> Martin
>>>>>>
>>>>> Sending rebased patches (there was a conflic in spec changelog).
>>>>>
>>>>> Martin
>>>>>
>>>> This still needs the following rebase (changelog is not in
>>>> chronological order):
>>>>
>>>> -* Wed Mar 13 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-2
>>>> +* Tue Mar 26 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-2
>>>
>>> Right, I will fix that.
>>>
>>>>
>>>> The build on F19 went OK, however, IPA installation on F19 fails with
>>>> the
>>>> following error:
>>>>
>>>> [snip]
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>> minutes 30 seconds
>>>>    [1/20]: creating certificate server user
>>>>    [2/20]: configuring certificate server instance
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> IOError: [Errno 2] No such file or directory:
>>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>
>>> What pki-ca version do you use? There were some related fixes for bugs
>>> I found in pki-ca component (see Bug 919476). I used
>>> pki-ca-10.0.1-2.1.fc19.noarch
>>>
>>
>> The version is the same.
>>
>>> If you have this version or higher, what is the root cause of the
>>> failure? Is there any useful info in ipaserver-install.log?
>>>
>>
>> I haven't been able to identify the cause. There seems to be an issue with
>> certmonger as well,
>> since consenquent uninstallation fails with:
>>
>>
> [snip]
>> 2013-03-26T17:03:19Z INFO The ipa-server-install command failed, exception:
>> IOError: [Errno 2] No such file or directory:
>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>
>>> Thanks,
>>> Martin
>>>
>>>>
>>>>
>>>> Patches work fine on F18.
>>>>
>>>> Tomas
>>>
>>
>>
> 
> Tomas is investigating the Fedora 19 failure, it was most probably caused by
> improperly upgraded VM. Sending updated and rebased patchset addressing issues
> found so far.
> 
> I also reopened BIND bug as BIND does not start after reboot due to wrong
> tmpfiles.d configuration:
> https://bugzilla.redhat.com/show_bug.cgi?id=920713
> But this should not affect the patches as the fix would need to be done only 
> in
> bind packages.
> 
> Martin
> 

Attaching one more fix for PKI CA installation, installer in F19 seems more
sensitive to the certificate downloaded via sslget from pki-ca. It may contain
DOS line endings which breaks certutil cert import and crashes the install.
Patch 398 fixes it - tested both on F18 and F19.

Martin
From b46920ce12efdf7325877534f205d86ab547cce8 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 12 Mar 2013 15:25:40 +0100
Subject: [PATCH 1/6] Clean spec file for Fedora 19

This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
  an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
  cluttering rpm update output
* Remove httpd_conf constant which was not used

https://fedorahosted.org/freeipa/ticket/3502
---
 freeipa.spec.in | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b47e651d3489948d2ee3b09e2fb4d8bfe976da81..8dbee49fb738bdf4824d3df7830cfe2f3f889ed1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1,10 +1,8 @@
 # Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
-%global httpd_conf /etc/httpd/conf.d
 %global plugin_dir %{_libdir}/dirsrv/plugins
-
-%global POLICYCOREUTILSVER 1.33.12-1
+%global POLICYCOREUTILSVER 2.1.12-5
 %global gettext_domain ipa
 
 Name:           freeipa
@@ -39,7 +37,11 @@ BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
 BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
+%if 0%{?fedora} >= 19
+BuildRequires:  krb5-devel >= 1.11
+%else
 BuildRequires:  krb5-devel >= 1.10
+%endif
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
 BuildRequires:  libcurl-devel >= 7.21.7-2
@@ -90,8 +92,17 @@ Requires: 389-ds-base >= 1.3.0
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
-Requires: krb5-server >= 1.10
+%if 0%{?fedora} >= 19
+Requires: krb5-server >= 1.11
+%else
+%if 0%{?fedora} == 18
+# krb5 1.11 bumped DAL interface major version, a rebuild is needed
 Requires: krb5-server < 1.11
+Requires: krb5-server >= 1.10
+%else
+Requires: krb5-server >= 1.10
+%endif
+%endif
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
@@ -439,7 +450,7 @@ fi
 %posttrans server
 # This must be run in posttrans so that updates from previous
 # execution that may no longer be shipped are not applied.
-/usr/sbin/ipa-ldap-updater --upgrade --quiet || :
+/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
 
 %preun server
 if [ $1 = 0 ]; then
@@ -771,6 +782,11 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Mar 27 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-2
+- Remove conflict with krb5-server > 1.11 as ipa-kdb is compatible
+- ipa-ldap-updater show produce errors only
+- update policycoreutils version to 2.1.12-5 to match Requires in Fedora
+
 * Thu Mar 21 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-1
 - Require selinux-policy 3.11.1-86 to fix Fedora 17 to 18 upgrade issue
 
-- 
1.8.1.4

From 4a8c14f7785ac5ec8631fbeffe3172da0bdd8eec Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 12 Mar 2013 15:28:58 +0100
Subject: [PATCH 2/6] Remove build warnings

Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500
---
 daemons/ipa-kdb/Makefile.am                        |  2 +-
 daemons/ipa-sam/Makefile.am                        |  2 +-
 daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am    |  2 +-
 daemons/ipa-slapi-plugins/ipa-dns/Makefile.am      |  2 +-
 .../ipa-slapi-plugins/ipa-enrollment/Makefile.am   |  2 +-
 .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am |  2 +-
 daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am  |  2 +-
 daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am   |  2 +-
 .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    |  2 +-
 .../ipa-slapi-plugins/ipa-range-check/Makefile.am  |  2 +-
 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am   |  2 +-
 daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am     |  2 +-
 daemons/ipa-slapi-plugins/ipa-version/Makefile.am  |  2 +-
 daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am  |  2 +-
 freeipa.spec.in                                    | 32 +++++++++++-----------
 ipa-client/Makefile.am                             |  2 +-
 16 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 23ba1cc05ec157a0f4d9b594350ebaf10b2098dc..13c4551318c7997397d0d83c51a0ffb99490e926 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -5,7 +5,7 @@ IPA_UTIL_DIR = ../../../util
 KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
 		 $(KRB5_UTIL_DIR)/ipa_pwd.c
 
-INCLUDES =						\
+AM_CPPFLAGS =						\
 	-I.						\
 	-I$(srcdir)					\
 	-I$(KRB5_UTIL_DIR)				\
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 53c8f47bbfe927caf785a5529fb5d6e2dcbc7525..e8e22503a4d8e3821d6f455bac337feae8b34bfc 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -8,7 +8,7 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)	\
 KRB5_UTIL_DIR=../../util
 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
 
-INCLUDES =						\
+AM_CPPFLAGS =						\
 	-I.						\
 	-I$(srcdir)					\
 	-I/usr/include/samba-4.0			\
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
index 27f53e9aa129ff2ef31c909f2b55069fae7b64da..f669d6b561482e165bedc1c1b2904b7f67a49a95 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
index 1b9f649b2151d380fc4fb188df1f1138167bc4b1..6d09c8d9c73755e89d91fea83ac66f088d9be553 100644
--- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
index c3bb279598cc6eafbaa545ef0774882d2fe98a1e..7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index d93e094b95510cf0ec99b7f7c38ff261c56f310e..67b556a4ac6e2ca8ef72901c0d9bcaef428aeca0 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
index fea3fe67d13ec0a87c4d1f983218af457212334d..0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
index 5d9db51f41c427894961d8af2b9b6b8d4d289ae0..9fbd03397cf36097e3c38280330cdeda1bf5950e 100644
--- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index f3bb589611efbd53eb2f0969ee858c2007829892..ec98f95e6bc3dc7134ea20c735e92f5e8806f033 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -6,7 +6,7 @@ KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
 		 $(KRB5_UTIL_DIR)/ipa_pwd.c \
 		 $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
index f284b42ff339bc97463260749d948f9aff9f54a4..f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
index a0d0e9ecf366b23cc6f054945544cd88cd846cad..4bfb0185ec589797125df747cc02dcf8a7ef30cd 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
index 15e6dedb860e4bb0ba7554b13e21e18c27b68ef3..738290170da587b0bbee96d8abcda2762264ee0e 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
index c7317ecdf7ac3caeec1ad72fee96f1a03cc6322d..5396bda99c64e66428a15a17a520227f790bff00 100644
--- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I../../						\
 	-I$(srcdir)						\
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
index 2d4b5a4472eda86c9f59797635eb216082431882..c41692864557e890d388e42c404c23e91ae8b1e9 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
@@ -2,7 +2,7 @@ NULL =
 
 PLUGIN_COMMON_DIR=../common
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(PLUGIN_COMMON_DIR)					\
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8dbee49fb738bdf4824d3df7830cfe2f3f889ed1..cb1980a33d853bf35bab3cb196783da2069e7af6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -803,7 +803,7 @@ fi
 - Add certmonger condrestart to server post scriptlet
 - Make certmonger a (pre) Requires on the server subpackage
 
-* Fri Jan 22 2013 Petr Vobornik <pvobo...@redhat.com> - 3.0.99-11
+* Tue Jan 22 2013 Petr Vobornik <pvobo...@redhat.com> - 3.0.99-11
 - dependency fix
 - Add BuildRequires: java-1.7.0-openjdk.
 - Removed BuildRequires: rhino
@@ -881,7 +881,7 @@ fi
 * Mon Aug 20 2012 Tomas Babej <tba...@redhat.com> - 2.99.0-42
 - Add samba4-winbind to build dependencies for AD server-side code
 
-* Thu Aug 17 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-41
+* Fri Aug 17 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-41
 - Set min for bind-dyndb-ldap to 1.1.0-0.16.rc1 to pick up complete zone transfer
   support
 
@@ -900,14 +900,14 @@ fi
 - Set minimum tomcat6 to 6.0.35-4 in F-18
 - Set minimum mod_auth_kerb to 5.4-16 in F-18
 
-* Fri Jun 21 2012 Sumit Bose <sb...@redhat.com> - 2.99.0-36
+* Thu Jun 21 2012 Sumit Bose <sb...@redhat.com> - 2.99.0-36
 - Add extdom extop plugin
 
-* Fri Jun 21 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-35
+* Thu Jun 21 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-35
 - Add client requires on libsss-autofs, autofs, libnfsidmap and nfs-utils
   for configuring automount and NFS.
 
-* Fri Jun 21 2012 Petr Vobornik <pvobo...@redhat.com> - 2.99.0-34
+* Thu Jun 21 2012 Petr Vobornik <pvobo...@redhat.com> - 2.99.0-34
 - Add Web UI reset password pages
 
 * Wed Jun 20 2012 Ondrej Hamada <oham...@redhat.com> - 2.99.0-33
@@ -941,13 +941,13 @@ fi
 * Tue Mar 27 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-26
 - Add python-krbV Requires on client package
 
-* Wed Mar 26 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-25
+* Mon Mar 26 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-25
 - Set min for 389-ds-base to 1.2.10.4-2 to fix upgrade issue
 
 * Fri Mar 23 2012 Petr Viktorin <pvikt...@redhat.com> - 2.99.0-24
 - Add python-lxml and python-pyasn1 to BuildRequires
 
-* Wed Mar 19 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-23
+* Mon Mar 19 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-23
 - Set min for bind-dyndb-ldap and bind to pick up new features and bug fixes
 
 * Thu Mar 1 2012 Jan Cholasta <jchol...@redhat.com> - 2.99.0-22
@@ -983,12 +983,12 @@ fi
 * Fri Dec 9 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-13
 - Fix dependency for samba4-devel package
 
-* Wed Nov 17 2011 Simo Sorce <s...@redhat.com> - 2.99.0-12
+* Thu Nov 17 2011 Simo Sorce <s...@redhat.com> - 2.99.0-12
 - Add CLDAP plugin
 - Set min nvr of 389-ds-base to 1.2.10-0.5.a5 for SLAPI_PLUGIN_CONFIG_ENTRY
   support
 
-* Wed Nov 14 2011 Endi S. Dewata <edew...@redhat.com> - 2.99.0-11
+* Mon Nov 14 2011 Endi S. Dewata <edew...@redhat.com> - 2.99.0-11
 - Make sure changes to extension.js are not removed.
 
 * Wed Oct 26 2011 Endi S. Dewata <edew...@redhat.com> - 2.99.0-10
@@ -1018,7 +1018,7 @@ fi
 * Mon Aug 29 2011 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-2
 - Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
 
-* Wed Aug 25 2011 Simo Sorce <ssorce#redhat.com> - 2.99.0-1
+* Thu Aug 25 2011 Simo Sorce <ssorce#redhat.com> - 2.99.0-1
 - Remove ipa_kpasswd.
 
 * Tue Aug 23 2011 Jan Cholasta <jchol...@redhat.com> - 2.1.0-1
@@ -1036,7 +1036,7 @@ fi
 * Tue Aug 2 2011 Endi S. Dewata <edew...@redhat.com> - 2.0.90-10
 - Add *.ico files
 
-* Tue Jul 29 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.0.90-9
+* Fri Jul 29 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.0.90-9
 - Add libipa_hbac-python dependency for hbactest plugin
 
 * Thu Jul 28 2011 Rob Crittenden <rcrit...@redhat.com> - 2.0.90-8
@@ -1078,7 +1078,7 @@ fi
 * Wed Feb  9 2011 Rob Crittenden <rcrit...@redhat.com> - 1.99-44
 - Set minimum version of sssd to 1.5.1
 
-* Thu Feb  2 2011 Rob Crittenden <rcrit...@redhat.com> - 1.99-43
+* Wed Feb  2 2011 Rob Crittenden <rcrit...@redhat.com> - 1.99-43
 - Set min version of 389-ds-base to 1.2.8
 - Set min version of mod_nss 1.0.8-10
 - Set min version of selinux-policy to 3.9.7-27
@@ -1093,7 +1093,7 @@ fi
 - Remove some explicit Requires in client that aren't needed
 - Consistent use of buildroot vs RPM_BUILD_ROOT
 
-* Thu Jan 19 2011 Adam Young <ayo...@redhat.com> - 1.99-40
+* Wed Jan 19 2011 Adam Young <ayo...@redhat.com> - 1.99-40
 - Moved directory install/static to install/ui
 
 * Thu Jan 13 2011 Simo Sorce <sso...@redhat.com> - 1.99-39
@@ -1215,7 +1215,7 @@ fi
 - Move ipalib to ipa-python subpackage
 - Bump minimum version of slapi-nis to 0.15
 
-* Thu May  6 2009 Rob Crittenden <rcrit...@redhat.com> - 1.99-5
+* Wed May  6 2009 Rob Crittenden <rcrit...@redhat.com> - 1.99-5
 - Set 0.14 as minimum version for slapi-nis
 
 * Wed Apr 22 2009 Rob Crittenden <rcrit...@redhat.com> - 1.99-4
@@ -1303,7 +1303,7 @@ fi
 - Pull upstream changelog 722
 - Add Conflicts mod_ssl (435360)
 
-* Thu Feb 29 2008 Rob Crittenden <rcrit...@redhat.com> 0.99-11
+* Fri Feb 29 2008 Rob Crittenden <rcrit...@redhat.com> 0.99-11
 - Pull upstream changelog 698
 - Fix ownership of /var/log/ipa_error.log during install (435119)
 - Add pwpolicy command and man page
@@ -1393,7 +1393,7 @@ fi
 * Fri Aug 10 2007 Karl MacMillan <kmacm...@redhat.com> - 0.2.0-1
 - Added support for ipa_kpasswd and ipa_pwd_extop
 
-* Mon Aug  5 2007 Rob Crittenden <rcrit...@redhat.com> - 0.1.0-3
+* Sun Aug  5 2007 Rob Crittenden <rcrit...@redhat.com> - 0.1.0-3
 - Abstracted client class to work directly or over RPC
 
 * Wed Aug  1 2007 Rob Crittenden <rcrit...@redhat.com> - 0.1.0-2
diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
index f22a2c345ff2356c77b7dccc2e8775950202ae5d..b7d70fd8d0d4383cac497b2978196e25893f9fe1 100644
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -15,7 +15,7 @@ export AM_CFLAGS
 KRB5_UTIL_DIR=../util
 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
 
-INCLUDES =							\
+AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(KRB5_UTIL_DIR)					\
-- 
1.8.1.4

From ff00c381300a81df0ca33bc31dce0aeaa2407cd5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 27 Mar 2013 14:58:16 +0100
Subject: [PATCH 3/6] Remove syslog.target from ipa.server

This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.

https://fedorahosted.org/freeipa/ticket/3511
---
 freeipa.spec.in          | 4 +++-
 init/systemd/ipa.service | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cb1980a33d853bf35bab3cb196783da2069e7af6..665a6d7207042a5b0defd63186149fbf5684a096 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -120,7 +120,7 @@ Requires: acl
 Requires: python-pyasn1
 Requires: memcached
 Requires: python-memcached
-Requires: systemd-units >= 36-3
+Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= 3.11.1-86
@@ -786,6 +786,8 @@ fi
 - Remove conflict with krb5-server > 1.11 as ipa-kdb is compatible
 - ipa-ldap-updater show produce errors only
 - update policycoreutils version to 2.1.12-5 to match Requires in Fedora
+- require at least systemd 38 which provides the journal (we no longer
+  need to require syslog.target)
 
 * Thu Mar 21 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-1
 - Require selinux-policy 3.11.1-86 to fix Fedora 17 to 18 upgrade issue
diff --git a/init/systemd/ipa.service b/init/systemd/ipa.service
index ba27d1dfd2db24389fc14163a77b262d54d5b5e6..8cfcf7c541080cbfa5c402aba801dee901141e3d 100644
--- a/init/systemd/ipa.service
+++ b/init/systemd/ipa.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Identity, Policy, Audit
-Requires=syslog.target network.target
-After=syslog.target network.target
+Requires=network.target
+After=network.target
 
 [Service]
 Type=oneshot
-- 
1.8.1.4

From 7acffc774000bd746f9e81aad06de6b5e8cb521a Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 20 Mar 2013 15:39:59 +0100
Subject: [PATCH 4/6] Put pid-file to named.conf

Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.

Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
---
 install/share/bind.named.conf.template |  1 +
 install/tools/ipa-upgradeconfig        | 45 +++++++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index b12df593ad902dfbe815c2292992f26204756cd8..e4ce6058399e8d9a1f112f55907e060075dff00b 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -15,6 +15,7 @@ options {
 	allow-recursion { any; };
 
 	tkey-gssapi-keytab "/etc/named.keytab";
+	pid-file "/run/named/named.pid";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index f5652139d6e8632970e6c558275b69a61f2b0510..c690544fa9d3574eca71b7779a59afb24842d1fe 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -516,6 +516,47 @@ def named_update_gssapi_configuration():
     sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
     return True
 
+def named_update_pid_file():
+    """
+    Make sure that named reads the pid file from the right file
+    """
+    root_logger.info('[Updating pid-file configuration in DNS]')
+
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'pid-file_updated'):
+        root_logger.debug('Skip pid-file configuration check')
+        return False
+
+    try:
+        pid_file = bindinstance.named_conf_get_directive('pid-file',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve pid-file option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if pid_file:
+            root_logger.debug('pid-file configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
+            return False
+
+    try:
+        bindinstance.named_conf_set_directive('pid-file', '/run/named/named.pid',
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update pid-file configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        root_logger.debug('pid-file configuration updated')
+
+    sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
+    return True
+
 
 def enable_certificate_renewal(ca):
     """
@@ -808,7 +849,9 @@ def main():
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     changed_gssapi_conf = named_update_gssapi_configuration()
-    if changed_psearch or changed_autoincrement or changed_gssapi_conf:
+    changed_pid_file_conf = named_update_pid_file()
+    if (changed_psearch or changed_autoincrement or changed_gssapi_conf
+            or changed_pid_file_conf):
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bind = bindinstance.BindInstance(fstore)
-- 
1.8.1.4

From c2062d10e8c4516b946c66c6c2ec56deb35b5dd5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 20 Mar 2013 16:40:53 +0100
Subject: [PATCH 5/6] Update mod_wsgi socket directory

Fedora 19 splitted /var/run and /run directories. Update mod_wsgi
configuration so that it generates its sockets in the right one.
---
 install/conf/ipa.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index a936c7fe6b7a957683e803d51b8685fb6187ca31..f3384d056b5eca4e756bdb58d9b264eeaf1a4b66 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 11 - DO NOT REMOVE THIS LINE
+# VERSION 12 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -37,7 +37,7 @@ FileETag None
 
 # FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
 # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
-WSGISocketPrefix /var/run/httpd/wsgi
+WSGISocketPrefix /run/httpd/wsgi
 
 
 # Configure mod_wsgi handler for /ipa
-- 
1.8.1.4

From 43309a1c728bd7566a150e62c5cd034b93e84be1 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 28 Mar 2013 14:36:36 +0100
Subject: [PATCH 6/6] Normalize RA agent certificate

Certificate parsed out of sslget request to pki-ca was not always
properly formatted and it may still contain DOS line ending. Make
sure that the certificate is printed with correct line ending.
---
 ipaserver/install/cainstance.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index deb9a6135916d48279aef9d91b3919c716db2fcf..6bf22dbfc76e03c65680baf20f10d010ff945b25 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1004,8 +1004,11 @@ class CAInstance(service.Service):
         outputList = get_outputList(data)
 
         self.ra_cert = outputList['b64_cert']
-        self.ra_cert = self.ra_cert.replace('\\n','')
+
+        # Strip certificate headers and convert it to proper line ending
         self.ra_cert = x509.strip_header(self.ra_cert)
+        self.ra_cert = "\n".join(line.strip() for line
+                                 in self.ra_cert.splitlines() if line.strip())
 
         # Add the new RA cert to the database in /etc/httpd/alias
         (agent_fd, agent_name) = tempfile.mkstemp()
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to