[Freeipa-devel] [PATCH] 0067 Set Domain Users SID for ipausers group
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 31 12:28:56 UTC 2012
Hi,
Set 'Domain Users' SID for ipausers group during ipa-adtrust-install
Since all users belong to ipausers group, setting Domain Users SID
(-513) will give them status of domain users. This is needed for
Kerberos driver to generate MS-PAC.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 08aa97ebf2b7958ac58a59a2b48a6db466be2972 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 31 Jul 2012 15:25:47 +0300
Subject: [PATCH 3/3] Set 'Domain Users' SID for ipausers group during
ipa-adtrust-install
Since all users belong to ipausers group, setting Domain Users SID
(-513) will give them status of domain users. This is needed for
Kerberos driver to generate MS-PAC.
---
ipaserver/install/adtrustinstance.py | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 9dcbec2d61d935f90e74cc65b30a0f1d0c0f9d2a..3f7d6e49646ba12a6a0b01e4505e2477a9b288db 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -128,12 +128,13 @@ class ADTRUSTInstance(service.Service):
sub_ids = struct.unpack("<LLL", os.urandom(12))
return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2])
- def __add_admin_sids(self):
+ def __add_wellknown_sids(self):
admin_dn = str(DN(('uid', 'admin'), api.env.container_user,
self.suffix))
admin_group_dn = str(DN(('cn', 'admins'), api.env.container_group,
self.suffix))
-
+ ipausers_group_dn = str(DN(('cn', 'ipausers'), api.env.container_group,
+ self.suffix))
try:
dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
ldap.SCOPE_BASE)
@@ -159,9 +160,17 @@ class ADTRUSTInstance(service.Service):
print "IPA admin group object not found"
return
- if admin_entry.getValue(self.ATTR_SID) or \
- admin_group_entry.getValue(self.ATTR_SID):
- print "Admin SID already set, nothing to do"
+ try:
+ ipausers_group_entry = self.admin_conn.getEntry(ipausers_group_dn, \
+ ldap.SCOPE_BASE)
+ except:
+ print "IPA ipausers group object not found"
+ return
+
+ if (admin_entry.getValue(self.ATTR_SID) and
+ admin_group_entry.getValue(self.ATTR_SID) and
+ ipausers_group_entry.getValue(self.ATTR_SID)):
+ print "Well-known SIDs already set, nothing to do"
return
try:
@@ -178,6 +187,13 @@ class ADTRUSTInstance(service.Service):
except:
print "Failed to modify IPA admin group object"
+ try:
+ self.admin_conn.modify_s(ipausers_group_dn, \
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-513")])
+ except:
+ print "Failed to modify IPA ipausers group object"
+
def __add_rid_bases(self):
"""
Add RID bases to the range object for the local ID range.
@@ -542,7 +558,7 @@ class ADTRUSTInstance(service.Service):
self.step("creating samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
self.step("adding cifs Kerberos principal", self.__setup_principal)
- self.step("adding admin(group) SIDs", self.__add_admin_sids)
+ self.step("adding well-known SIDs", self.__add_wellknown_sids)
self.step("adding RID bases", self.__add_rid_bases)
self.step("activating CLDAP plugin", self.__add_cldap_module)
self.step("activating sidgen plugin and task", self.__add_sidgen_module)
--
1.7.11.2
More information about the Freeipa-devel
mailing list