[Freeipa-devel] [PATCH] ipa-adtrust-install: create fallback group with ldif file

Sumit Bose sbose at redhat.com
Mon Oct 8 11:29:58 UTC 2012 

Hi,

this patch fixes https://fedorahosted.org/freeipa/ticket/3147 by adding
the default fallback group with an LDIF file instead of using the
framework.

bye,
Sumit
-------------- next part --------------
From 2cd6a4e0f93c34df60a221ea7e96a5c2735ece4d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 8 Oct 2012 10:44:07 +0200
Subject: [PATCH] ipa-adtrust-install: create fallback group with ldif file

Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.

Fixes https://fedorahosted.org/freeipa/ticket/3147
---
 install/share/Makefile.am            |  1 +
 install/share/default-smb-group.ldif |  8 +++++++
 ipaserver/install/adtrustinstance.py | 41 ++++++++++--------------------------
 3 Dateien ge?ndert, 20 Zeilen hinzugef?gt(+), 30 Zeilen entfernt(-)
 create mode 100644 install/share/default-smb-group.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 03fef9a66f2f4c64e5685d4947c6f9139ac69ad0..23cd766a5a82ca514ffff9ebad82e0ee7db9ae77 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
 	default-hbac.ldif		\
+	default-smb-group.ldif		\
 	delegation.ldif			\
 	replica-acis.ldif		\
 	ds-nfiles.ldif			\
diff --git a/install/share/default-smb-group.ldif b/install/share/default-smb-group.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..8d89f67cc7d8be66375c9accb038b3c20a4d4be4
--- /dev/null
+++ b/install/share/default-smb-group.ldif
@@ -0,0 +1,8 @@
+dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+cn: Default SMB Group
+description: Fallback group for primary group RID, do not add user to this group
+gidnumber: 999
+objectclass: top
+objectclass: ipaobject
+objectclass: posixgroup
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 3f3924eb3ce9f56ac66407347645c40f96eb6430..41030223d1f644ba6a6557ac90d8f518fcba9c29 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,7 +22,6 @@ import errno
 import ldap
 import tempfile
 import uuid
-import krbV
 from ipaserver import ipaldap
 from ipaserver.install import installutils
 from ipaserver.install import service
@@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service):
     OBJC_USER = "ipaNTUserAttrs"
     OBJC_GROUP = "ipaNTGroupAttrs"
     OBJC_DOMAIN = "ipaNTDomainAttrs"
-    FALLBACK_GROUP_NAME = u'Default_SMB_Group'
+    FALLBACK_GROUP_NAME = u'Default SMB Group'
 
     def __init__(self, fstore=None):
         self.fqdn = None
@@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service):
         """
 
         self.ldap_connect()
-        try:
-            ctx = krbV.default_context()
-            ccache = ctx.default_ccache()
-        except krbV.Krb5Error, e:
-            self.print_msg("Must have Kerberos credentials to setup " \
-                           "AD trusts on server")
-            return
-
-        try:
-            api.Backend.ldap2.disconnect()
-            api.Backend.ldap2.connect(ccache.name)
-        except errors.ACIError, e:
-            self.print_msg("Outdated Kerberos credentials. " \
-                           "Use kdestroy and kinit to update your ticket")
-            return
-        except errors.DatabaseError, e:
-            self.print_msg("Cannot connect to the LDAP database. " \
-                           "Please check if IPA is running")
-            return
 
         try:
             dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
@@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service):
             self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
         except errors.NotFound:
             try:
-                fallback = api.Command['group_add'](self.FALLBACK_GROUP_NAME,
-                                           description= u'Fallback group for ' \
-                                                         'primary group RID, ' \
-                                                         'do not add user to ' \
-                                                         'this group',
-                                           nonposix=False)
-                fb_group_dn = fallback['result']['dn']
+                self._ldap_mod('default-smb-group.ldif', self.sub_dict)
             except Exception, e:
                 self.print_msg("Failed to add fallback group.")
                 raise e
 
+        # _ldap_mod does not return useful error codes, so we must check again
+        # if the fallback group was created properly.
         try:
-            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
-                    fallback['result']['dn'])]
+            self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
+        except errors.NotFound:
+                self.print_msg("Failed to add fallback group.")
+                return
+
+        try:
+            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
             self.admin_conn.modify_s(self.smb_dom_dn, mod)
         except:
             self.print_msg("Failed to add fallback group to domain object")
-- 
1.7.11.4

More information about the Freeipa-devel mailing list