URL: https://github.com/freeipa/freeipa/pull/3977 Author: flo-renaud Title: #3977: trust upgrade: ensure that host is member of adtrust agents Action: opened
PR body: """ After an upgrade, the group cn=adtrust agents may be missing some members. Each ad trust controller must appear twice as member: - krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn - fqdn=hostname,cn=computers,cn=accounts,basedn Add an upgrade plugin that builds a list of hostnames from the cifs principals and adds if needed fqdn=hostname... Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3977/head:pr3977 git checkout pr3977
From d2bd8f600b115ae152e5d20bb9495eb813d9005e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 3 Dec 2019 12:56:22 +0100 Subject: [PATCH] trust upgrade: ensure that host is member of adtrust agents After an upgrade, the group cn=adtrust agents may be missing some members. Each ad trust controller must appear twice as member: - krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn - fqdn=hostname,cn=computers,cn=accounts,basedn Add an upgrade plugin that builds a list of hostnames from the cifs principals and adds if needed fqdn=hostname... Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777 --- .../updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 26b8820e8c..07137c2f56 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -14,6 +14,7 @@ plugin: update_tdo_gidnumber plugin: update_tdo_to_new_layout plugin: update_host_cifs_keytabs plugin: update_tdo_default_read_keys_permissions +plugin: update_adtrust_agents_members plugin: update_ca_renewal_master plugin: update_idrange_type plugin: update_pacs diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 2a9b4f04e2..fed4893005 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -9,9 +9,11 @@ from ipapython.dn import DN from ipapython import ipautil from ipaplatform.paths import paths +from ipaserver.install import service from ipaserver.install import sysupgrade from ipaserver.install.adtrustinstance import ( ADTRUSTInstance, map_Guests_to_nobody) + from ipaserver.dcerpc_common import TRUST_BIDIRECTIONAL try: @@ -882,3 +884,54 @@ def execute(self, **options): tdo.single_value.get('krbCanonicalName')) return False, [] + + +@register() +class update_adtrust_agents_members(Updater): + """ Ensure that each adtrust agent is a member of the adtrust agents group + + cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN must contain: + - member: krbprincipalname=cifs/master@realm,cn=services,cn=accounts,base + - member: fqdn=master,cn=computers,cn=accounts,base + """ + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + # First, see if trusts are enabled on the server + if not self.api.Command.adtrust_is_enabled()['result']: + logger.debug('AD Trusts are not enabled on this server') + return False, [] + + agents_dn = DN( + ('cn', 'adtrust agents'), ('cn', 'sysaccounts'), + ('cn', 'etc'), self.api.env.basedn) + + try: + agents_entry = ldap.get_entry(agents_dn, ['member']) + except errors.NotFound: + logger.error("No adtrust agents group found") + return False, [] + + agents_list = [] + members = agents_entry.get('member', []) + + suffix = '@{}'.format(self.api.env.realm).lower() + for amember in members: + if amember[0].attr.lower() == 'krbprincipalname': + # Extract krbprincipalname=cifs/hostname@realm from the DN + value = amember[0].value + if (value.lower().startswith('cifs/') and + value.lower().endswith(suffix)): + # 5 = length of 'cifs/' + hostname = value[5:-len(suffix)] + agents_list.append(DN(('fqdn', hostname), + self.api.env.container_host, + self.api.env.basedn)) + + service.add_principals_to_group( + ldap, + agents_dn, + "member", + agents_list) + + return False, []
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org