URL: https://github.com/freeipa/freeipa/pull/2442 Author: flo-renaud Title: #2442: [Backport][ipa-4-7] adtrust: define Guests mapping after creating cifs/ principal Action: opened
PR body: """ This PR was opened automatically because PR #2439 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2442/head:pr2442 git checkout pr2442
From 536a21c42789b521d4c10227205f85ce4fcb8248 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 9 Oct 2018 17:21:37 +0300 Subject: [PATCH] adtrust: define Guests mapping after creating cifs/ principal All Samba utilities load passdb modules from the configuration file. As result, 'net groupmap' call would try to initialize ipasam passdb module and that one would try to connect to LDAP using Kerberos authentication. We should be running it after cifs/ principal is actually created in ipa-adtrust-install or otherwise setting up group mapping will fail. This only affects new installations. For older ones 'net groupmap' would work just fine because adtrust is already configured and all principals exist already. A re-run of 'ipa-server-upgrade' is a workaround too but better to fix the initial setup. Related: https://pagure.io/freeipa/issue/7705 --- ipaserver/install/adtrustinstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 46c4ad663c..da16748cfa 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -837,8 +837,6 @@ def create_instance(self): self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) - self.step("map BUILTIN\\Guests to nobody group", - self.__map_Guests_to_nobody) self.step("adding cifs Kerberos principal", self.request_service_keytab) self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ @@ -850,6 +848,8 @@ def create_instance(self): self.step("updating Kerberos config", self.__update_krb5_conf) self.step("activating CLDAP plugin", self.__add_cldap_module) self.step("activating sidgen task", self.__add_sidgen_task) + self.step("map BUILTIN\\Guests to nobody group", + self.__map_Guests_to_nobody) self.step("configuring smbd to start on boot", self.__enable) self.step("adding special DNS service records", \ self.__add_dns_service_records)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
