[Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 10 09:29:28 UTC 2012 

On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>>On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>>>Hi,
>>>
>>>Since use of winbind on FreeIPA server that is configured with trusts is
>>>conflicting with krb5 locator based on winbind, make sure there is
>>>conflict that will force removing samba{,4}-winbind-krb5-locator package
>>>when -server-trust-ad subpackage is installed.
>>>
>>>Please note that since feature-wise the two packages would be
>>>conflicting in use, one has to play tricks with rpm to enforce
>>>automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes:
>>>in addtion to Conflicts: tag. This allows to ensure the two packages
>>>never installed together:
>>>
>>>Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after
>>>freeipa-server-trust-ad subpackage is installed.
>>>
>>>Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator
>>>during the install of freeipa-server-trust-ad.
>>Unfortunately, the side-effect of the Obsoletes: tag is that
>>freeipa-server-trust-ad would always be selected from the repository
>>whenever one wants to install samba{,4}-winbind-krb5-locator, so this
>>approach does not work.
>>
>>We can keep pure Conflicts: tags because they would prevent co-install
>>of the packages. They alone would not be able to provide way to solve
>>conflicts.
>>
>>I'm working on a bit more complex variant with alternatives.
>New patch attached. I verified that it works but in order to make it
>useful, samba{,4} package needs to be updated to include alternatives
>for winbind_krb5_locator.so plugin. Working on that now.
Attached is the patch for samba (f18, rawhide).

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From a78139d777deab75e3bf500472d88cba6a720484 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 10 Oct 2012 12:21:42 +0300
Subject: [PATCH] Move winbind_krb5_locator.so to back to %_libdir and use
 alternatives instead

This is required to support IPA AD trusts where winbind_krb5_locator.so should
be disabled. The only way to disable it without uninstalling the package is to
make it configurable via alternatives system.
---
 samba.spec | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/samba.spec b/samba.spec
index 292fd7e90221795982788dc7a7606fa907dfa4e3..a3cc66b326f7cf83b4c81939aa70d35b80fcae0b 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 152
+%define main_release 153
 
 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@@ -279,6 +279,14 @@ Requires: %{name}-libs = %{samba_depver}
 
 Provides: samba4-winbind-krb5-locator = %{samba_depver}
 Obsoletes: samba4-winbind-krb5-locator < %{samba_depver}
+# Handle winbind_krb5_locator.so as alternatives to allow
+# IPA AD trusts case where it should not be used by libkrb5
+# The plugin will be diverted to /dev/null by the FreeIPA
+# freeipa-server-trust-ad subpackage due to higher priority
+# and restored to the proper one on uninstall
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
 
 %description winbind-krb5-locator
 The winbind krb5 locator is a plugin for the system kerberos library to allow
@@ -538,8 +546,7 @@ done
 
 # winbind krb5 locator
 install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
-install -m 755 %{buildroot}/%{_libdir}/winbind_krb5_locator.so %{buildroot}/%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
-rm -f %{buildroot}/%{_libdir}/winbind_krb5_locator.so
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 
 # cleanup stuff that does not belong here
 rm -f %{buildroot}/%{_mandir}/man3/ldb.3*
@@ -557,6 +564,7 @@ rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp
 # Fix up permission on perl install.
 %{_fixperms} %{buildroot}%{perl_vendorlib}
 
+
 # Remove stuff the buildsystem did not handle correctly
 rm -f %{buildroot}%{_libdir}/security/pam_smbpass.so
 rm -f %{buildroot}%{python_sitelib}/tevent.py
@@ -622,6 +630,22 @@ rm -f %{buildroot}%{python_sitelib}/tevent.py
 %postun -n libwbclient -p /sbin/ldconfig
 %endif # with_libwbclient
 
+%postun winbind-krb5-locator 
+if [ "$1" -ge "1" ]; then
+        if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then
+                %{_sbindir}/alternatives --set winbind_krb5_locator %{_libdir}/winbind_krb5_locator.so
+        fi
+fi
+
+%post winbind-krb5-locator
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+                                winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10
+
+%preun winbind-krb5-locator
+if [ $1 -eq 0 ]; then
+        %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so
+fi
+
 %clean
 rm -rf %{buildroot}
 
@@ -905,7 +929,8 @@ rm -rf %{buildroot}
 
 %files winbind-krb5-locator
 %defattr(-,root,root)
-%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%{_libdir}/winbind_krb5_locator.so
 %{_mandir}/man7/winbind_krb5_locator.7*
 
 %files winbind-clients
@@ -1255,6 +1280,9 @@ rm -rf %{buildroot}
 %endif # with_libwbclient
 
 %changelog
+* Wed Oct 10 2012 - Alexander Bokovoy <abokovoy at redhat.com> - 2:4.0.0-153.rc1
+- Use alternatives to configure winbind_krb5_locator.so
+
 * Thu Oct 04 2012 - Andreas Schneider <asn at redhat.com> - 2:4.0.0-152.rc1
 - Add kerberos AES support.
 - Fix printing initialization.
-- 
1.7.12

More information about the Freeipa-devel mailing list