.freeipa-pr-ci.yaml

@@ -58,7 +58,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_external_ca.py
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
         template: *ci-master-f27
         timeout: 3600
         topology: *master_1repl
@@ -87,6 +87,18 @@ jobs:
         timeout: 3600
         topology: *master_1repl_1client
 
+  fedora-27/test_ipa_cli:
+    requires: [fedora-27/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-27/build_url}'
+        test_suite: test_integration/test_ipa_cli.py
+        template: *ci-master-f27
+        timeout: 3600
+        topology: *master_1repl
+
   fedora-27/test_kerberos_flags:
     requires: [fedora-27/build]
     priority: 50
@@ -183,15 +195,15 @@ jobs:
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_installation_TestInstallMasterReservedIPasForwarder:
+  fedora-27/test_authconfig:
     requires: [fedora-27/build]
     priority: 50
     job:
       class: RunPytest
       args:
         build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_installation.py::TestInstallMasterReservedIPasForwarder
+        test_suite: test_integration/test_authselect.py
         template: *ci-master-f27
-        timeout: 10800
-        topology: *master_1repl
+        timeout: 3600
+        topology: *master_1repl_1client
 

ACI.txt

@@ -361,7 +361,7 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example

API.txt

@@ -1944,13 +1944,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_add_member/1
-args: 1,7,3
+args: 1,8,3
 arg: Str('cn', cli_name='group_name')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('group*', alwaysask=True, cli_name='groups')
 option: Str('ipaexternalmember*', cli_name='external')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('service*', alwaysask=True, cli_name='services')
 option: Str('user*', alwaysask=True, cli_name='users')
 option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
@@ -1972,7 +1973,7 @@ output: Output('result', type=[<type 'bool'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_find/1
-args: 1,28,4
+args: 1,30,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='group_name')
@@ -1987,6 +1988,7 @@ option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('no_group*', cli_name='no_groups')
 option: Flag('no_members', autofill=True, default=True)
+option: Principal('no_service*', cli_name='no_services')
 option: Str('no_user*', cli_name='no_users')
 option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False)
 option: Str('not_in_group*', cli_name='not_in_groups')
@@ -1998,6 +2000,7 @@ option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('posix', autofill=True, cli_name='posix', default=False)
 option: Flag('private', autofill=True, cli_name='private', default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Principal('service*', cli_name='services')
 option: Int('sizelimit?', autofill=False)
 option: Int('timelimit?', autofill=False)
 option: Str('user*', cli_name='users')
@@ -2026,13 +2029,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_remove_member/1
-args: 1,7,3
+args: 1,8,3
 arg: Str('cn', cli_name='group_name')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('group*', alwaysask=True, cli_name='groups')
 option: Str('ipaexternalmember*', cli_name='external')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('service*', alwaysask=True, cli_name='services')
 option: Str('user*', alwaysask=True, cli_name='users')
 option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
@@ -4457,7 +4461,7 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,13,3
+args: 1,14,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4470,6 +4474,7 @@ option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
+option: Flag('skip_host_check', autofill=True, default=False)
 option: Certificate('usercertificate*', cli_name='certificate')
 option: Str('version?')
 output: Entry('result')

VERSION.m4

@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
 # e.g. define(IPA_VERSION_PRE_RELEASE, rc1)            #
 #  ->  "1.0.0rc1"                                      #
 ########################################################
-define(IPA_VERSION_PRE_RELEASE, .pre1)
+define(IPA_VERSION_PRE_RELEASE, .pre2)
 
 ########################################################
 # To mark GIT snapshots this should be set to 'yes'    #
@@ -46,7 +46,7 @@ define(IPA_VERSION_PRE_RELEASE, .pre1)
 # This option works only with GNU m4:                  #
 # it requires esyscmd m4 macro.                        #
 ########################################################
-define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
+define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
 
 ########################################################
 # git development branch:                              #

client/ipa-getkeytab.c

@@ -763,7 +763,8 @@ int main(int argc, const char *argv[])
               _("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
               _("Kerberos Service Principal Name") },
             { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
-              _("File were to store the keytab information"),
+              _("The keytab file to append the new key to (will be "
+                "created if it does not exist)."),
               _("Keytab File Name") },
 	    { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0,
               _("Encryption types to request"),

contrib/Makefile.am

 SUBDIRS = completion
 
 EXTRA_DIST = \
-	nssciphersuite \
 	lite-server.py

contrib/nssciphersuite/README.txt

-Cipher suite for mod_nss
-------------------------
-
-The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
-creates a list of secure cipher suites for TLS. The script filters out
-insecure, obsolete and slow ciphers according to some rules.
-
-As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
-cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
-cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
-key exchange. https://www.ssllabs.com/ gives a 'A' grade.
-
-Note:
-No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
-support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.
-
-# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
-# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
-# enabled cipher suites:
-#   TLS_RSA_WITH_AES_128_CBC_SHA256
-#   TLS_RSA_WITH_AES_256_CBC_SHA256
-#   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-#   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-#   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-#   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-#   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-#   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-#   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-#   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-#   TLS_RSA_WITH_AES_128_GCM_SHA256
-#   TLS_RSA_WITH_AES_128_CBC_SHA
-#   TLS_RSA_WITH_AES_256_GCM_SHA384
-#   TLS_RSA_WITH_AES_256_CBC_SHA
-#
-
-NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

contrib/nssciphersuite/nssciphersuite.py

-#!/usr/bin/python3
-#
-# Authors:
-#     Christian Heimes <cheimes@redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2016 Red Hat, Inc.
-# All rights reserved.
-#
-"""Generate safe NSSCipherSuite stanza for mod_nss
-"""
-from __future__ import print_function
-
-import operator
-import re
-
-# pylint: disable=import-error,no-name-in-module
-from urllib.request import urlopen
-# pylint: enable=import-error,no-name-in-module
-
-SOURCE = "https://git.fedorahosted.org/cgit/mod_nss.git/plain/nss_engine_cipher.c"
-
-CIPHER_RE = re.compile(
-    r'\s*\{'
-    r'\"(?P<name>\w+)\",\s*'
-    r'(?P<num>(TLS|SSL)_\w+),\s*'
-    r'\"(?P<openssl_name>[\w-]+)\",\s*'
-    r'(?P<attr>[\w|]+),\s*'
-    r'(?P<version>\w+),\s*'
-    r'(?P<strength>\w+),\s*'
-    r'(?P<bits>\d+),\s*'
-    r'(?P<alg_bits>\d+)'
-)
-
-DISABLED_CIPHERS = {
-    # ciphers without encryption or authentication
-    'SSL_eNULL', 'SSL_aNULL',
-    # MD5 is broken
-    # SHA-1 is still required as PRF algorithm for TLSv1.0
-    'SSL_MD5',
-    # RC2 and RC4 stream ciphers are broken.
-    'SSL_RC2', 'SSL_RC4',
-    # DES is broken and Triple DES is too weak.
-    'SSL_DES', 'SSL_3DES',
-    # DSA is problematic.
-    'SSL_DSS', 'SSL_aDSS',
-    # prefer AES over Camellia.
-    'SSL_CAMELLIA128', 'SSL_CAMELLIA256', 'SSL_CAMELLIA',
-    # non-ephemeral EC Diffie-Hellmann with fixed parameters are not
-    # used by common browser and are therefore irrelevant for HTTPS.
-    'kECDH', 'SSL_kECDHr', 'SSL_kECDHe'
-}
-
-WEAK_STRENGTH = {
-    'SSL_STRONG_NONE',
-    'SSL_EXPORT40',
-    'SSL_EXPORT56',
-    'SSL_LOW'
-}
-
-
-def parse_nss_engine_cipher(lines, encoding='utf-8'):
-    """Parse nss_engine_cipher.c and get list of ciphers
-
-    :param lines: iterable or list of lines
-    :param encoding: default encoding
-    :return: list of cipher dicts
-    """
-    ciphers = []
-    start = False
-    for line in lines:
-        if not isinstance(line, str):
-            line = line.decode(encoding)
-
-        if line.startswith('cipher_properties'):
-            start = True
-        elif not start:
-            continue
-        elif line.startswith('};'):
-            break
-
-        mo = CIPHER_RE.match(line)
-        if not mo:
-            continue
-
-        match = mo.groupdict()
-        match['attr'] = set(match['attr'].split('|'))
-        match['bits'] = int(match['bits'])
-        match['alg_bits'] = int(match['alg_bits'])
-
-        # some cipher elemets aren't flagged
-        for algo in ['SHA256', 'SHA384']:
-            if match['num'].endswith(algo):
-                match['attr'].add('SSL_{}'.format(algo))
-
-        # cipher block chaining isn't tracked
-        if '_CBC' in match['num']:
-            match['attr'].add('SSL_CBC')
-
-        if match['attr'].intersection(DISABLED_CIPHERS):
-            match['enabled'] = False
-        elif match['strength'] in WEAK_STRENGTH:
-            match['enabled'] = False
-        else:
-            match['enabled'] = True
-
-        # EECDH + AES-CBC and large hash functions is slow and not more secure
-        if (match['attr'].issuperset({'SSL_CBC', 'SSL_kEECDH'}) and
-                match['attr'].intersection({'SSL_SHA256', 'SSL_SHA384'})):
-            match['enabled'] = False
-
-        ciphers.append(match)
-
-    ciphers.sort(key=operator.itemgetter('name'))
-    return ciphers
-
-
-def main():
-    with urlopen(SOURCE) as r:
-        ciphers = parse_nss_engine_cipher(r)
-    # with open('nss_engine_cipher.c') as f:
-    #     ciphers = parse_nss_engine_cipher(f)
-
-    print("# disabled cipher attributes: {}".format(
-        ', '.join(sorted(DISABLED_CIPHERS))))
-    print("# weak strength: {}".format(', '.join(sorted(WEAK_STRENGTH))))
-    print("# enabled cipher suites:")
-    suite = []
-    for cipher in ciphers:
-        if cipher['enabled']:
-            print("#   {:36}".format(cipher['num']))
-            suite.append('+{}'.format(cipher['name']))
-    print()
-    print("NSSCipherSuite {}".format(','.join(suite)))
-
-
-if __name__ == '__main__':
-    main()

daemons/ipa-slapi-plugins/topology/topology_post.c

@@ -240,22 +240,26 @@ ipa_topo_post_del(Slapi_PBlock *pb)
         /* check if corresponding agreement exists and delete */
         TopoReplica *tconf = ipa_topo_util_get_conf_for_segment(del_entry);
         TopoReplicaSegment *tsegm = NULL;
-        char *status;
+        int obsolete_segment;
+        Slapi_Value *obsolete_sv;
+
         if (tconf) tsegm = ipa_topo_util_find_segment(tconf, del_entry);
         if (tsegm == NULL) {
             slapi_log_error(SLAPI_LOG_FATAL, IPA_TOPO_PLUGIN_SUBSYSTEM,
                             "segment to be deleted does not exist\n");
             break;
         }
-        status = slapi_entry_attr_get_charptr(del_entry, "ipaReplTopoSegmentStatus");
-        if (status == NULL || strcasecmp(status, SEGMENT_OBSOLETE_STR)) {
+
+        obsolete_sv = slapi_value_new_string(SEGMENT_OBSOLETE_STR);
+        obsolete_segment = slapi_entry_attr_has_syntax_value(del_entry, "ipaReplTopoSegmentStatus", obsolete_sv);
+        slapi_value_free(&obsolete_sv);
+        if (!obsolete_segment) {
             /* obsoleted segments are a result of merge, do not remove repl agmt */
             ipa_topo_util_existing_agmts_del(tconf, tsegm,
                                          ipa_topo_get_plugin_hostname());
         }
         /* also remove segment from local topo conf */
         ipa_topo_cfg_segment_del(tconf, tsegm);
-        slapi_ch_free_string(&status);
         break;
         }
     case TOPO_DOMLEVEL_ENTRY: {

freeipa.spec.in

@@ -58,6 +58,7 @@
 %global selinux_policy_version 3.12.1-153
 %global slapi_nis_version 0.56.0-4
 %global python2_ldap_version 2.4.15
+%global ds_version 1.3.7.9-1
 %else
 # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
 %global krb5_version 1.15.1-7
@@ -81,10 +82,26 @@
 %global python3_ldap_version 2.4.35.1-2
 %endif
 
+%if 0%{?fedora} >= 28
+# Fix for "Crash when failing to read from SASL connection"
+# https://pagure.io/389-ds-base/issue/49639
+%global ds_version 1.4.0.8-1
+%else
+# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
+%global ds_version 1.3.7.9-1
 %endif
 
-# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
-%global pki_version 10.6.0-0.2
+%endif
+
+# Require Dogtag PKI 10.6.1 with Python 3 and SQL NSSDB fixes for external
+# CA support, https://bugzilla.redhat.com/show_bug.cgi?id=1573094
+%global pki_version 10.6.1
+
+# NSS release with fix for CKA_LABEL import bug in shared SQL database.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
+%global nss_version 3.36.1-1.1
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
 
@@ -145,14 +162,12 @@ BuildRequires:  systemd
 # systemd-tmpfiles which is executed from make install requires apache user
 BuildRequires:  httpd
 BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
+BuildRequires:  nss-devel >= %{nss_version}
 BuildRequires:  openssl-devel
 BuildRequires:  libini_config-devel
 BuildRequires:  cyrus-sasl-devel
-BuildRequires:  sssd-tools
 %if ! %{ONLY_CLIENT}
-# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
-BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  389-ds-base-devel >= %{ds_version}
 BuildRequires:  svrcore-devel
 %if 0%{?rhel}
 BuildRequires:  samba-devel >= 4.0.0
@@ -326,13 +341,10 @@ Requires: python3-pyldap >= %{python3_ldap_version}
 Requires: python2-ipaserver = %{version}-%{release}
 Requires: python2-ldap >= %{python2_ldap_version}
 %endif
-# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
-Requires: 389-ds-base >= 1.3.7.9-1
+Requires: 389-ds-base >= %{ds_version}
 Requires: openldap-clients > 2.4.35-4
-Requires: nss >= 3.14.3-12.0
-Requires: nss-tools >= 3.14.3-12.0
+Requires: nss >= %{nss_version}
+Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
 Requires: krb5-pkinit-openssl >= %{krb5_version}
@@ -373,10 +385,7 @@ Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.79.5-1
-# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
-Requires(pre): 389-ds-base >= 1.3.7.9-1
+Requires(pre): 389-ds-base >= %{ds_version}
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@@ -592,7 +601,7 @@ Requires: python2-sssdconfig
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
-Requires: authconfig
+Requires: authselect >= 0.4-2
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
 Requires: initscripts
@@ -600,13 +609,14 @@ Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.14.0
 Requires: certmonger >= 0.79.5-1
-Requires: nss-tools
+Requires: nss-tools >= %{nss_version}
 Requires: bind-utils
 Requires: oddjob-mkhomedir
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
 Requires: nfs-utils
+Requires: sssd-tools
 Requires(post): policycoreutils
 
 Provides: %{alt_name}-client = %{version}
@@ -642,6 +652,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
 Requires: python2-dns >= 1.15
 Requires: python2-jinja2
+Requires: python2-augeas
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -665,6 +676,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
+Requires: python3-augeas
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -1155,6 +1167,8 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+
+%pre server-common
 # create users and groups
 # create kdcproxy group and user
 getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
@@ -1396,7 +1410,6 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-custodia.service
 %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
-%dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/*.ldif
@@ -1603,6 +1616,7 @@ fi
 %dir %{_localstatedir}/lib/ipa-client/pki
 %dir %{_localstatedir}/lib/ipa-client/sysrestore
 %{_mandir}/man5/default.conf.5*
+%{_usr}/share/ipa/freeipa.template
 
 
 %files python-compat
@@ -1635,6 +1649,7 @@ fi
 %defattr(-,root,root,-)
 %doc README.md Contributors.txt
 %license COPYING
+%dir %{_usr}/share/ipa
 
 
 %if 0%{?with_python3}

install/migration/migration.py

@@ -19,6 +19,7 @@
 """
 Password migration script
 """
+from __future__ import absolute_import
 
 import cgi
 import errno

install/share/Makefile.am

@@ -51,6 +51,7 @@ dist_app_DATA =				\
 	kdc_req.conf.template		\
 	krb5.conf.template		\
 	krb5.ini.template		\
+	freeipa.template		\
 	krb.con.template		\
 	krbrealm.con.template		\
 	smb.conf.template		\

install/share/freeipa.template

+[libdefaults]
+    spake_preauth_groups = edwards25519

install/share/kdc.conf.template

@@ -2,6 +2,7 @@
  kdc_ports = 88
  kdc_tcp_ports = 88
  restrict_anonymous_to_tgt = true
+ spake_preauth_kdc_challenge = edwards25519
 
 [realms]
  $REALM = {

install/share/wsgi.py

@@ -23,6 +23,8 @@
 """
 WSGI appliction for IPA server.
 """
+from __future__ import absolute_import
+
 import logging
 import os
 import sys

install/tools/ipa-ca-install

@@ -35,6 +35,7 @@ from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
 from ipaserver.install import cainstance, service
+from ipaserver.install import custodiainstance
 from ipapython import version
 from ipalib import api
 from ipalib.constants import DOMAIN_LEVEL_0
@@ -219,13 +220,17 @@ def install_replica(safe_options, options, filename):
     options.domain_name = config.domain_name
     options.dm_password = config.dirman_password
     options.host_name = config.host_name
+    options.ca_host_name = config.ca_host_name
     if os.path.exists(cafile):
         options.ca_cert_file = cafile
     else:
         options.ca_cert_file = None
 
     ca.install_check(True, config, options)
-    ca.install(True, config, options)
+
+    custodia = custodiainstance.get_custodia_instance(
+        options, custodiainstance.CustodiaModes.CA_PEER)
+    ca.install(True, config, options, custodia=custodia)
 
 
 def install_master(safe_options, options):
@@ -263,13 +268,17 @@ def install_master(safe_options, options):
                 "Continue to configure the CA with these values?", False):
             sys.exit("Installation aborted")
 
-    ca.install(True, None, options)
+    # No CA peer available yet.
+    custodia = custodiainstance.get_custodia_instance(
+        options, custodiainstance.CustodiaModes.STANDALONE)
+    ca.install(True, None, options, custodia=custodia)
 
     # Run ipa-certupdate to add the new CA certificate to
     # certificate databases on this server.
     logger.info("Updating certificate databases.")
     ipa_certupdate.run_with_args(api)
 
+
 def install(safe_options, options, filename):
     options.promote = False
 

install/tools/man/ipa-backup.1

@@ -69,6 +69,8 @@ Log to the given file
 0 if the command was successful
 
 1 if an error occurred
+
+2 if IPA is not configured
 .SH "FILES"
 .PP
 \fI/var/lib/ipa/backup\fR

install/ui/src/freeipa/group.js

@@ -128,6 +128,10 @@ return {
             $type: 'association',
             name: 'member_group'
         },
+        {
+            $type: 'association',
+            name: 'member_service'
+        },
         {
             $type: 'attribute',
             name: 'member_external',

install/ui/src/freeipa/host.js

@@ -518,6 +518,12 @@ IPA.host.details_facet = function(spec, no_init) {
         return that.entity.name+'_show_'+that.get_pkey();
     };
 
+    that.update_on_success = function(data, text_status, xhr) {
+        that.on_update.notify();
+        that.nofify_update_success();
+        that.refresh();
+    };
+
     if (!no_init) that.init_details_facet();
 
     return that;

install/ui/src/freeipa/idviews.js

@@ -317,6 +317,10 @@ return {
                 $type: 'cert_textarea',
                 name: 'usercertificate'
             },
+            {
+                $type: 'sshkey',
+                name: 'ipasshpubkey'
+            },
             'loginshell',
             'homedirectory',
             {
@@ -450,6 +454,12 @@ idviews.id_override_user_details_facet = function(spec) {
         return batch;
     };
 
+    that.update_on_success = function(data, text_status, xhr) {
+        that.on_update.notify();
+        that.nofify_update_success();
+        that.refresh();
+    };
+
     return that;
 };