[Freeipa-devel] [PATCH] 0084 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Alexander Bokovoy
abokovoy at redhat.com
Mon Oct 8 17:31:52 UTC 2012
Hi,
attached patch moves S4U2Proxy configuration for CIFS service to
ipa-adtrust-install. Since CIFS service is only available after running
ipa-adtrust-install, we cannot reference its principal in advance. This
means bootstrap template and updates processes cannot reference it
directly or upgrading from older versions would not be possible due to
referencing non-existent principal in updates.
https://fedorahosted.org/freeipa/ticket/3041
--
/ Alexander Bokovoy
-------------- next part --------------
>From 2c29b1ee8e4bc0752be61889f254fb37f701dcbc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 8 Oct 2012 13:27:16 +0300
Subject: [PATCH 3/4] Add cifs principal to S4U2Proxy targets only when
running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only usable after
setting CIFS configuration, there is no need to include it into default setup.
This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default.
https://fedorahosted.org/freeipa/ticket/3041
---
install/share/bootstrap-template.ldif | 1 -
install/share/replica-s4u2proxy.ldif | 6 ----
install/updates/60-trusts.update | 4 ---
install/updates/61-trusts-s4u2proxy.update | 9 ++----
ipaserver/install/adtrustinstance.py | 46 ++++++++++++++++++++++++++----
5 files changed, 42 insertions(+), 24 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 24804e475427ad7e5b2ae7c69d6cfb54cafbef38..a17f2518fce89232e6339fa1fdce508dd2c8f45c 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -195,7 +195,6 @@ changetype: add
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
-memberPrincipal: cifs/$HOST@$REALM
dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add
diff --git a/install/share/replica-s4u2proxy.ldif b/install/share/replica-s4u2proxy.ldif
index 98de46fa7760965ea28fe15b29a16e88310e4992..c7ced5ee290103b1bc92e44d849835fda57ba03d 100644
--- a/install/share/replica-s4u2proxy.ldif
+++ b/install/share/replica-s4u2proxy.ldif
@@ -12,9 +12,3 @@ dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: modify
add: memberPrincipal
memberPrincipal: ldap/$FQDN@$REALM
-
-dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
-changetype: modify
-add: memberPrincipal
-memberPrincipal: cifs/$FQDN@$REALM
-
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index cc9a771df901a90b457357c570dc06d34c0db4c8..bf2c58daa9bc6abb2bbcefecec98d0dca9a89d60 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -40,10 +40,6 @@ dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
default: objectClass: GroupOfNames
default: objectClass: top
default: cn: adtrust agents
-default: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
-
-dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
-add: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
dn: cn=trusts,$SUFFIX
default: objectClass: top
diff --git a/install/updates/61-trusts-s4u2proxy.update b/install/updates/61-trusts-s4u2proxy.update
index 4a71148bc6bfd8a5464fef21153d5357e2f4ad9d..7504a068e2a3d773eb34fc09a959d324ff0d9430 100644
--- a/install/updates/61-trusts-s4u2proxy.update
+++ b/install/updates/61-trusts-s4u2proxy.update
@@ -1,12 +1,7 @@
-dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
-add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
-
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
default: objectClass: groupOfPrincipals
default: objectClass: top
default: cn: ipa-cifs-delegation-targets
-default: memberPrincipal: cifs/$FQDN@$REALM
-
-dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
-add: memberPrincipal: cifs/$FQDN@$REALM
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 3f3924eb3ce9f56ac66407347645c40f96eb6430..4c4197a8a7650055a8c19ab7af31dd1477c05298 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -53,6 +53,13 @@ change with the command:
Try updating the policycoreutils and selinux-policy packages.
"""
+UPGRADE_ERROR = """
+Entry %(dn)s does not exist.
+This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy
+configuration was not set up properly. Please run ipa-ldap-updater manually
+and re-run ipa-adtrust-instal again afterwards.
+"""
+
def check_inst():
for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
if not os.path.exists(smbfile):
@@ -401,6 +408,25 @@ class ADTRUSTInstance(service.Service):
self.__add_plugin_conf('Extdom', 'ipa_extdom_extop',
'ipa-extdom-extop-conf.ldif')
+ def __add_s4u2proxy_target(self):
+ """
+ Add CIFS principal to S4U2Proxy target
+ """
+
+ targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'),
+ ('cn', 'etc'), self.suffix)
+ try:
+ targets = self.admin_conn.getEntry(targets_dn, ldap.SCOPE_BASE)
+ current = ipaldap.Entry((targets_dn, targets.toDict()))
+ members = current.getValues('memberPrincipal') or []
+ if not(self.cifs_principal in members):
+ current.setValues("memberPrincipal", members + [self.cifs_principal])
+ self.admin_conn.updateEntry(targets_dn, targets.toDict(), current.toDict())
+ else:
+ self.print_msg('cifs principal already targeted, nothing to do.')
+ except errors.NotFound:
+ self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn))
+
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
@@ -421,12 +447,19 @@ class ADTRUSTInstance(service.Service):
# Add the principal to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
- entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
- current = ipaldap.Entry(self.smb_dn, entry.toDict())
- if not('member' in current):
- current['member'] = []
- entry.setValues("member", current['member'] + [self.cifs_agent])
- self.admin_conn.updateEntry(self.smb_dn, current, entry)
+ try:
+ entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
+ current = ipaldap.Entry((self.smb_dn, entry.toDict()))
+ members = current.getValues('member') or []
+ if not(self.cifs_agent in members):
+ current.setValues("member", members + [self.cifs_agent])
+ self.admin_conn.updateEntry(self.smb_dn, entry.toDict(), current.toDict())
+ except errors.NotFound:
+ entry = ipaldap.Entry(self.smb_dn)
+ entry.setValues("objectclass", ["top", "GroupOfNames"])
+ entry.setValues("cn", self.smb_dn['cn'])
+ entry.setValues("member", [self.cifs_agent])
+ self.admin_conn.addEntry(entry)
except Exception, e:
# CIFS principal already exists, it is not the first time adtrustinstance is managed
# That's fine, we we'll re-extract the key again.
@@ -722,6 +755,7 @@ class ADTRUSTInstance(service.Service):
self.step("creating samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
self.step("adding cifs Kerberos principal", self.__setup_principal)
+ self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
self.step("adding admin(group) SIDs", self.__add_admin_sids)
self.step("adding RID bases", self.__add_rid_bases)
self.step("updating Kerberos config", self.__update_krb5_conf)
--
1.7.12
More information about the Freeipa-devel
mailing list