URL: https://github.com/freeipa/freeipa/pull/6092
Author: mrizwan93
Title: #6092: ipatests: Test cases for ipa-replica-conncheck command
Action: opened
PR body:
"""
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
TGT (it should default to principal=admin and prompt for a password)
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6092/head:pr6092
git checkout pr6092
URL: https://github.com/freeipa/freeipa/pull/6107
Author: mrizwan93
Title: #6107: ipatests: Test empty cert request doesn't force certmonger to segfault
Action: opened
PR body:
"""
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it
related: https://pagure.io/certmonger/issue/191
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6107/head:pr6107
git checkout pr6107
URL: https://github.com/freeipa/freeipa/pull/6114
Author: flo-renaud
Title: #6114: [Backport][ipa-4-9] Extend test to see if replica is not shown when running `ipa-replica-manage list -v FQDN`
Action: opened
PR body:
"""
This PR was opened automatically because PR #6108 was pushed to master and backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6114/head:pr6114
git checkout pr6114
URL: https://github.com/freeipa/freeipa/pull/6115
Author: flo-renaud
Title: #6115: [Backport][ipa-4-9] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
Action: opened
PR body:
"""
This PR was opened automatically because PR #6111 was pushed to master and backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6115/head:pr6115
git checkout pr6115
URL: https://github.com/freeipa/freeipa/pull/6116
Author: abbra
Title: #6116: [Backport][ipa-4-9] PAC fixes for Windows Server November 2021 security release
Action: opened
PR body:
"""
This PR was opened automatically because PR #6113 was pushed to master and backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6116/head:pr6116
git checkout pr6116
URL: https://github.com/freeipa/freeipa/pull/6113
Author: abbra
Title: #6113: PAC fixes for Windows Server November 2021 security release
Action: opened
PR body:
"""
### ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021 security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and tickets to RODCs)
### ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021 security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on the ticket resolves to the account with the same SID as the PAC_REQUESTER_SID. If it doesn't KDC must respond with KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID verification.
With these changes FreeIPA works against Windows Server 2019 with November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6113/head:pr6113
git checkout pr6113
URL: https://github.com/freeipa/freeipa/pull/6111
Author: mrizwan93
Title: #6111: ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
Action: opened
PR body:
"""
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.
related: https://pagure.io/freeipa/issue/9052
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6111/head:pr6111
git checkout pr6111
URL: https://github.com/freeipa/freeipa/pull/6108
Author: ssidhaye
Title: #6108: Extend test to see if replica is not shown when running `ipa-replica-manage list -v`
Action: opened
PR body:
"""
Signed-off-by: Sumedh Sidhaye <ssidhaye(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6108/head:pr6108
git checkout pr6108