[Freeipa-devel] [PATCH] client: include the directory with domain-realm mappings in krb5.conf

Jakub Hrozek jhrozek at redhat.com
Fri Aug 17 11:44:30 UTC 2012 

Hi,

the attached patches add the directory the SSSD writes domain-realm
mappings as includedir to krb5.conf when installing the client.

[PATCH 1/3] ipachangeconf: allow specifying non-default delimeter for options
ipachangeconf only allows one delimeter between keys and values. This
patch adds the possibility of also specifying "delim" in the option
dictionary to override the default delimeter.

On a slightly-unrelated note, we really should think about adopting
Augeas. Changing configuration with home-grown scripts is getting
tricky.

[PATCH 2/3] Specify includedir in krb5.conf on new installs
This patch utilizes the new functionality from the previous patch to add
the includedir on top of the krb5.conf file

[PATCH 3/3] Add the includedir to krb5.conf on upgrades
This patch is completely untested and I'm only posting it to get
opinions. At first I was going to use an upgrade script in %post but
then I thought it would be overengineering when all we want to do is
prepend one line.. Would a simple munging like this be acceptable or
shall I write a full script?
-------------- next part --------------
>From 507dad241486258348153bedb06011e0f884c88f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri, 17 Aug 2012 11:19:03 +0200
Subject: [PATCH 1/3] ipachangeconf: allow specifying non-default delimeter
 for options

---
 ipa-client/ipaclient/ipachangeconf.py | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py
index f6288062be5c5d1b29341ed90814e1fa1431019c..f5ec227fee6a46eb666a1bfe9a3349e40f80b7e9 100644
--- a/ipa-client/ipaclient/ipachangeconf.py
+++ b/ipa-client/ipaclient/ipachangeconf.py
@@ -161,7 +161,10 @@ class IPAChangeConf:
                 output += self.indent[level]+self.subsectdel[1]+self.deol
                 continue
             if o['type'] == "option":
-                output += self.indent[level]+o['name']+self.dassign+o['value']+self.deol
+                delim = o.get('delim', self.dassign)
+                if delim not in self.assign:
+                    raise ValueError('Unknown delim "%s" must be one of "%s"' % (delim, " ".join([d for d in self.assign])))
+                output += self.indent[level]+o['name']+delim+o['value']+self.deol
                 continue
             if o['type'] == "comment":
                 output += self.dcomment+o['value']+self.deol
@@ -182,11 +185,21 @@ class IPAChangeConf:
         if value:
             return {'name':'comment', 'type':'comment', 'value':value.rstrip()} #pylint: disable=E1103
 
+        o = dict()
         parts = line.split(self.dassign, 1)
         if len(parts) < 2:
-            raise SyntaxError, 'Syntax Error: Unknown line format'
+            # The default assign didn't match, try the non-default
+            for d in self.assign[1:]:
+                parts = line.split(d, 1)
+                if len(parts) >= 2:
+                    o['delim'] = d
+                    break
 
-        return {'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()}
+            if 'delim' not in o:
+                raise SyntaxError, 'Syntax Error: Unknown line format'
+
+        o.update({'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()})
+        return o
 
     def findOpts(self, opts, type, name, exclude_sections=False):
 
@@ -224,7 +237,9 @@ class IPAChangeConf:
                 opts.append({'name':'comment', 'type':'comment', 'value':val})
                 continue
             if o['type'] == 'option':
-                val = self.indent[level]+o['name']+self.dassign+o['value']
+                delim = o.get('delim', self.dassign)
+                if delim not in self.assign:
+                    val = self.indent[level]+o['name']+delim+o['value']
                 opts.append({'name':'comment', 'type':'comment', 'value':val})
                 continue
             if o['type'] == 'comment':
-- 
1.7.11.2

-------------- next part --------------
>From 74091875ec511b1b271f723eb17918544258a957 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Sun, 5 Aug 2012 20:47:12 +0200
Subject: [PATCH 2/3] Specify includedir in krb5.conf on new installs

---
 ipa-client/ipa-install/ipa-client-install | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e65921e8de2dfe68443f5b5875954d71dd48ed2..a4c1b6fbdfefc26f9be8297b6e60ac4d0da42876 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -642,7 +642,7 @@ def hardcode_ldap_server(cli_server):
 def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, client_domain):
 
     krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
-    krbconf.setOptionAssignment(" = ")
+    krbconf.setOptionAssignment((" = ", " "))
     krbconf.setSectionNameDelimiters(("[","]"))
     krbconf.setSubSectionDelimiters(("{","}"))
     krbconf.setIndent(("","  ","    "))
@@ -650,6 +650,10 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
     opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
             {'name':'empty', 'type':'empty'}]
 
+    # SSSD include dir
+    opts.append({'name':'includedir', 'type':'option', 'value':'/var/lib/sss/pubconf/krb5.include.d/', 'delim':' '})
+    opts.append({'name':'empty', 'type':'empty'})
+
     #[libdefaults]
     libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
     if not dnsok or not cli_kdc or options.force:
-- 
1.7.11.2

-------------- next part --------------
>From c163d4dac69243195e2d95f3a71cb31c61a1f43a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri, 17 Aug 2012 13:34:06 +0200
Subject: [PATCH 3/3] Add the includedir to krb5.conf on upgrades

---
 ipa-client/ipa-client.spec.in | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ipa-client/ipa-client.spec.in b/ipa-client/ipa-client.spec.in
index 686259ad24b241c232dce83b695a05f6fd6c3849..4cd6ee66aa384c1181bcaca1c2c755cf235e79b9 100644
--- a/ipa-client/ipa-client.spec.in
+++ b/ipa-client/ipa-client.spec.in
@@ -36,6 +36,15 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 %clean
 rm -rf %{buildroot}
 
+%post
+if egrep -q 'File modified by ipa-client-install' /etc/krb5.conf 2>/dev/null ; then
+    if ! egrep -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
+        cp /etc/krb5.conf{,.ipaclientupgrade}
+        echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf
+        cat /etc/krb5.conf.ipaclientupgrade >> /etc/krb5.conf
+    fi
+fi
+
 
 %files
 %defattr(-,root,root,-)
-- 
1.7.11.2

More information about the Freeipa-devel mailing list