On Mon, 31 Jan 2011 15:46:37 -0500
Rob Crittenden <rcrit...@redhat.com> wrote:

> Simo Sorce wrote:
> > On Sat, 29 Jan 2011 10:28:49 -0500
> > Simo Sorce<sso...@redhat.com>  wrote:
> >
> >> On Fri, 28 Jan 2011 19:11:39 -0500
> >> Rob Crittenden<rcrit...@redhat.com>  wrote:
> >>
> >>> Simo Sorce wrote:
> >>>>
> >>>> Use a common group named 'dirsrv' for all DS instances, as
> >>>> requested in ticket #851
> >>>>
> >>>> While there also remove the -u option, it is silly to allow to
> >>>> change one in three (the other are group name and pki ds instance
> >>>> user) accounts only. Plus it is apparently confusing to admins.
> >>>>
> >>>> Simo.
> >>>
> >>> Just a couple of really minor nit-pickiness.
> >>>
> >>> If we are hardcoding the user why make it an argument to the
> >>> various create_instance commands? You already import the group
> >>> from dsinstance, why not the user too?
> >>
> >> I didn't want to change too much code :-)
> >> I'll change that, hopefully w/o introducing regressions.
> >>
> >>> And this code:
> >>>
> >>> if not group_exists is None and not group_exists:
> >>>
> >>> might be more readable as:
> >>>
> >>> if group_exists == False:
> >>
> >> I copied from dsinstance.uninstall() I will change it.
> >>
> >> Simo.
> >>
> >
> > Revised patch attached.
> >
> > Simo.
> 
> Install on a master and replica worked fine but uninstall on the
> replica failed with:
> 
> Shutting down all IPA services
> Removing IPA client configuration
> Unconfiguring ntpd
> Unconfiguring CA directory server
> Unconfiguring CA
> Unconfiguring web server
> Unconfiguring krb5kdc
> Unconfiguring ipa_kpasswd
> Unconfiguring directory server
> root        : CRITICAL failed to delete group Command 
> '/usr/sbin/groupdel dirsrv' returned non-zero exit status 6
> 
> error 6 means specified group doesn´t exist
> 
> The last bit of the uninstall log confirms this:
> 
> 2011-01-31 15:44:28,001 INFO args=/usr/sbin/groupdel dirsrv
> 2011-01-31 15:44:28,002 INFO stdout=
> 2011-01-31 15:44:28,003 INFO stderr=groupdel: group 'dirsrv' does not
> exist
> 
> 2011-01-31 15:44:28,004 CRITICAL failed to delete group Command 
> '/usr/sbin/groupdel dirsrv' returned non-zero exit status 6
> 
> rob

Ok attached  patch that cheks if the group exists before trying to
delete it.

The reason it fails I think is because it has the same name of the
idrsrv user and when we remove the dirsrv user userdel probably removes
also the group because at that stage the other user in that group
(pkisrv) has already been removed as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From a8a3a0c25b72f629ac60688d9a94ae98c6b46cd0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Fri, 28 Jan 2011 15:45:19 -0500
Subject: [PATCH] Use a common group for all DS instances

Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.

Fixes: https://fedorahosted.org/freeipa/ticket/851
---
 install/tools/ipa-replica-install |   36 ++++++++++---
 install/tools/ipa-replica-prepare |   17 ++----
 install/tools/ipa-server-install  |  102 ++++++++++++++++++-------------------
 ipaserver/install/cainstance.py   |   62 ++++++++++++-----------
 ipaserver/install/dsinstance.py   |   43 +++++++---------
 ipaserver/install/krbinstance.py  |   18 +++----
 6 files changed, 141 insertions(+), 137 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 3eb41daae3572e6cfdec943bd776f525f30bf87b..590fd645b449621161ffb4464e645bac016a23a8 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -22,6 +22,7 @@ import sys
 import socket
 
 import tempfile, os, pwd, traceback, logging, shutil
+import grp
 from ConfigParser import SafeConfigParser
 
 from ipapython import ipautil
@@ -33,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
+from ipapython import sysrestore
 
 CACERT="/etc/ipa/ca.crt"
 
@@ -45,7 +47,6 @@ class ReplicaConfig:
         self.domain_name = ""
         self.master_host_name = ""
         self.dirman_password = ""
-        self.ds_user = ""
         self.host_name = ""
         self.dir = ""
         self.subject_base = ""
@@ -116,7 +117,6 @@ def read_info(dir, rconfig):
 
     rconfig.realm_name = config.get("realm", "realm_name")
     rconfig.master_host_name = config.get("realm", "master_host_name")
-    rconfig.ds_user = config.get("realm", "ds_user")
     rconfig.domain_name = config.get("realm", "domain_name")
     rconfig.host_name = config.get("realm", "destination_host")
     rconfig.subject_base = config.get("realm", "subject_base")
@@ -145,7 +145,7 @@ def resolve_host(host_name):
         return None
 
 def set_owner(config, dir):
-    pw = pwd.getpwnam(config.ds_user)
+    pw = pwd.getpwnam(dsinstance.DS_USER)
     os.chown(dir, pw.pw_uid, pw.pw_gid)
 
 def install_ca(config):
@@ -168,9 +168,13 @@ def install_ca(config):
         sys.exit(1)
 
     cs = cainstance.CADSInstance()
-    cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
+    cs.create_instance(config.realm_name, config.host_name,
+                       config.domain_name, config.dirman_password)
     ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
-    ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base)
+    ca.configure_instance(config.host_name, config.dirman_password,
+                          config.dirman_password, pkcs12_info=(cafile,),
+                          master_host=config.master_host_name,
+                          subject_base=config.subject_base)
 
     return ca
 
@@ -187,7 +191,7 @@ def install_replica_ds(config):
                        config.dir + "/dirsrv_pin.txt")
 
     ds = dsinstance.DsInstance()
-    ds.create_replica(config.ds_user, config.realm_name,
+    ds.create_replica(config.realm_name,
                       config.master_host_name, config.host_name,
                       config.domain_name, config.dirman_password,
                       pkcs12_info)
@@ -205,7 +209,7 @@ def install_krb(config, setup_pkinit=False):
         pkcs12_info = (config.dir + "/pkinitcert.p12",
                        config.dir + "/pkinit_pin.txt")
 
-    krb.create_replica(config.ds_user, config.realm_name,
+    krb.create_replica(config.realm_name,
                        config.master_host_name, config.host_name,
                        config.domain_name, config.dirman_password,
                        ldappwd_filename, kpasswd_filename,
@@ -339,6 +343,9 @@ def main():
     if not ipautil.file_exists(filename):
         sys.exit("Replica file %s does not exist" % filename)
 
+    global sstore
+    sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
+
     # check the bind is installed
     if options.setup_dns:
         check_bind()
@@ -393,6 +400,21 @@ def main():
     api.bootstrap(in_server=True)
     api.finalize()
 
+    # Create DS group if it doesn't exist yet
+    try:
+        grp.getgrnam(dsinstance.DS_GROUP)
+        logging.debug("ds group %s exists" % dsinstance.DS_GROUP)
+        group_exists = True
+    except KeyError:
+        group_exists = False
+        args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
+        try:
+            ipautil.run(args)
+            logging.debug("done adding DS group")
+        except ipautil.CalledProcessError, e:
+            logging.critical("failed to add DS group: %s" % e)
+    sstore.backup_state("install", "group_exists", group_exists)
+
     #Automatically disable pkinit w/ dogtag until that is supported
     #[certs.ipa_self_signed() must be called only after api.finalize()]
     if not ipautil.file_exists(config.dir + "/pkinitcert.p12") and not certs.ipa_self_signed():
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 908c50a13362c2f34263a2e3a5a9f5cd00a0177c..38d31aa604edfbeef53a96abc9f47058ef05901d 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -183,19 +183,13 @@ def export_ra_pkcs12(dir, dm_password):
     finally:
         os.remove(agent_name)
 
-def get_ds_user(ds_dir):
-    uid = os.stat(ds_dir).st_uid
-    user = pwd.getpwuid(uid)[0]
-
-    return user
-
-def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host,
+def save_config(dir, realm_name, host_name,
+                domain_name, dest_host,
                 subject_base):
     config = SafeConfigParser()
     config.add_section("realm")
     config.set("realm", "realm_name", realm_name)
     config.set("realm", "master_host_name", host_name)
-    config.set("realm", "ds_user", ds_user)
     config.set("realm", "domain_name", domain_name)
     config.set("realm", "destination_host", dest_host)
     config.set("realm", "subject_base", subject_base)
@@ -213,8 +207,8 @@ def copy_files(realm_name, dir):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 
     try:
-        shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") 
-        shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") 
+        shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
+        shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
         shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
         if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
             shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
@@ -281,7 +275,6 @@ def main():
         print "You can't create a replica on itself"
         sys.exit(1)
     ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
-    ds_user = get_ds_user(ds_dir)
 
     # get the directory manager password
     dirman_password = options.password
@@ -404,7 +397,7 @@ def main():
     print "Copying additional files"
     copy_files(api.env.realm, dir)
     print "Finalizing configuration"
-    save_config(dir, api.env.realm, api.env.host, ds_user, api.env.domain, replica_fqdn, subject_base)
+    save_config(dir, api.env.realm, api.env.host, api.env.domain, replica_fqdn, subject_base)
 
     replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
     encfile = replicafile+".gpg"
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c07f6fc3e8544b290b7a6dbee987487c9bfd7db9..4a40c13a233f37ebf651c5f38228b39cd1110221 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -31,7 +31,7 @@ import os
 import socket
 import errno
 import logging
-import pwd
+import grp
 import subprocess
 import signal
 import shutil
@@ -58,8 +58,6 @@ from ipapython.ipautil import *
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 
-DEF_DS_USER = 'dirsrv'
-
 pw_name = None
 uninstalling = False
 
@@ -68,8 +66,6 @@ def parse_options():
     # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
     namespace = random.randint(1, 10000) * 200000
     parser = IPAOptionParser(version=version.VERSION)
-    parser.add_option("-u", "--user", dest="ds_user",
-                      help="ds user")
     parser.add_option("-r", "--realm", dest="realm_name",
                       help="realm name")
     parser.add_option("-n", "--domain", dest="domain_name",
@@ -151,12 +147,10 @@ def parse_options():
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
 
     if options.uninstall:
-        if (options.ds_user or options.realm_name or
+        if (options.realm_name or
             options.admin_password or options.master_password):
-            parser.error("In uninstall mode, -u, r and -P options are not allowed")
+            parser.error("In uninstall mode, -a, -r and -P options are not allowed")
     elif options.unattended:
-        if not options.ds_user:
-            options.ds_user = DEF_DS_USER
         if (not options.realm_name or
             not options.dm_password or not options.admin_password):
             parser.error("In unattended mode you need to provide at least -r, -p and -a options")
@@ -306,32 +300,6 @@ def resolve_host(host_name):
         print "Unable to lookup the IP address of the provided host"
     return ip
 
-def read_ds_user():
-    print "The server must run as a specific user in a specific group."
-    print "It is strongly recommended that this user should have no privileges"
-    print "on the computer (i.e. a non-root user).  The set up procedure"
-    print "will give this user/group some permissions in specific paths/files"
-    print "to perform server-specific operations."
-    print ""
-
-    ds_user = ""
-    try:
-        pwd.getpwnam(DEF_DS_USER)
-
-        print "A user account named %s already exists." % DEF_DS_USER
-        print "This is the user id that the Directory Server will run as."
-        print ""
-        if user_input("Do you want to use the existing %s account?" % DEF_DS_USER, True):
-            ds_user = DEF_DS_USER
-        else:
-            print ""
-            ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False)
-        print ""
-    except KeyError:
-        ds_user = DEF_DS_USER
-
-    return ds_user
-
 def read_domain_name(domain_name, unattended):
     print "The domain name has been calculated based on the host name."
     print ""
@@ -447,6 +415,18 @@ def uninstall():
         os.remove("/etc/httpd/conf.d/ipa.conf")
     except:
         pass
+
+    group_exists = sstore.restore_state("install", "group_exists")
+    if group_exists == False:
+        try:
+            grp.getgrnam(dsinstance.DS_GROUP)
+            try:
+                ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP])
+            except ipautil.CalledProcessError, e:
+                logging.critical("failed to delete group %s" % e)
+        except KeyError:
+            logging.info("Group %s already removed", dsinstance.DS_GROUP)
+
     return 0
 
 
@@ -492,6 +472,8 @@ def main():
 
     global fstore
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+    global sstore
+    sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
 
     # Configuration for ipalib, we will bootstrap and finalize later, after
     # we are sure we have the configuration file ready.
@@ -544,7 +526,6 @@ def main():
     if not options.external_ca:
         check_dirsrv(options.unattended)
 
-    ds_user = ""
     realm_name = ""
     host_name = ""
     domain_name = ""
@@ -629,14 +610,6 @@ def main():
     print "Domain name: " + domain_name
     print ""
 
-    if not options.ds_user:
-        ds_user = read_ds_user()
-        if ds_user == "":
-            sys.exit(1)
-        logging.debug("read ds_user: %s\n" % ds_user)
-    else:
-        ds_user = options.ds_user
-
     if not options.realm_name:
         realm_name = read_realm_name(domain_name, options.unattended)
         logging.debug("read realm_name: %s\n" % realm_name)
@@ -695,6 +668,21 @@ def main():
         print "Please wait until the prompt is returned."
         print ""
 
+    # Create DS group if it doesn't exist yet
+    try:
+        grp.getgrnam(dsinstance.DS_GROUP)
+        logging.debug("ds group %s exists" % dsinstance.DS_GROUP)
+        group_exists = True
+    except KeyError:
+        group_exists = False
+        args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
+        try:
+            ipautil.run(args)
+            logging.debug("done adding DS group")
+        except ipautil.CalledProcessError, e:
+            logging.critical("failed to add DS group: %s" % e)
+    sstore.backup_state("install", "group_exists", group_exists)
+
     # Configure ntpd
     if options.conf_ntp:
         ntp = ntpinstance.NTPInstance(fstore)
@@ -730,21 +718,26 @@ def main():
 
         if options.external_cert_file is None:
             cs = cainstance.CADSInstance()
-            cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
+            cs.create_instance(realm_name, host_name, domain_name, dm_password)
         ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
         if external == 0:
-            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
+            ca.configure_instance(host_name, dm_password, dm_password,
+                                  subject_base=options.subject)
         elif external == 1:
             options.realm_name = realm_name
             options.domain_name = domain_name
-            options.ds_user = ds_user
             options.master_password = master_password
             options.host_name = host_default
             options.unattended = True
             write_cache(options)
-            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, csr_file="/root/ipa.csr", subject_base=options.subject)
+            ca.configure_instance(host_name, dm_password, dm_password,
+                                  csr_file="/root/ipa.csr",
+                                  subject_base=options.subject)
         else:
-            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, subject_base=options.subject)
+            ca.configure_instance(host_name, dm_password, dm_password,
+                                  cert_file=options.external_cert_file,
+                                  cert_chain_file=options.external_ca_file,
+                                  subject_base=options.subject)
 
     # Now put the CA cert where other instances exepct it
     ca.publish_ca_cert("/etc/ipa/ca.crt")
@@ -762,11 +755,14 @@ def main():
     if options.dirsrv_pkcs12:
         pkcs12_info = (options.dirsrv_pkcs12, pw_name)
         try:
-            ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow)
+            ds.create_instance(realm_name, host_name, domain_name,
+                               dm_password, pkcs12_info,
+                               subject_base=options.subject,
+                               hbac_allow=not options.hbac_allow)
         finally:
             os.remove(pw_name)
     else:
-        ds.create_instance(ds_user, realm_name, host_name, domain_name,
+        ds.create_instance(realm_name, host_name, domain_name,
                            dm_password, self_signed_ca=options.selfsign,
                            idstart=options.idstart, idmax=options.idmax,
                            subject_base=options.subject,
@@ -786,13 +782,13 @@ def main():
     krb = krbinstance.KrbInstance(fstore)
     if options.pkinit_pkcs12:
         pkcs12_info = (options.pkinit_pkcs12, pw_name)
-        krb.create_instance(ds_user, realm_name, host_name, domain_name,
+        krb.create_instance(realm_name, host_name, domain_name,
                             dm_password, master_password,
                             setup_pkinit=options.setup_pkinit,
                             pkcs12_info=pkcs12_info,
                             subject_base=options.subject)
     else:
-        krb.create_instance(ds_user, realm_name, host_name, domain_name,
+        krb.create_instance(realm_name, host_name, domain_name,
                             dm_password, master_password,
                             setup_pkinit=options.setup_pkinit,
                             self_signed_ca=options.selfsign,
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dfe036dd7650da1789107b462ac7f7336694fc53..8aa1d4477c3615d013301f93a52abe48577ec140 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -53,6 +53,9 @@ from ipalib import util
 
 DEFAULT_DSPORT=7389
 
+PKI_USER = "pkiuser"
+PKI_DS_USER = "pkisrv"
+
 # These values come from /usr/share/pki/ca/setup/postinstall
 PKI_INSTANCE_NAME="pki-ca"
 AGENT_SECURE_PORT=9443
@@ -219,7 +222,6 @@ class CADSInstance(service.Service):
         self.serverid = None
         self.host_name = None
         self.pkcs12_info = None
-        self.ds_user = None
         self.ds_port = None
         self.master_host = None
         if realm_name:
@@ -228,8 +230,8 @@ class CADSInstance(service.Service):
         else:
             self.suffix = None
 
-    def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
-        self.ds_user = ds_user
+    def create_instance(self, realm_name, host_name, domain_name,
+                        dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
         self.ds_port = ds_port
         self.realm_name = realm_name.upper()
         self.serverid = "PKI-IPA"
@@ -250,26 +252,29 @@ class CADSInstance(service.Service):
         server_root = dsinstance.find_server_root()
         self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
                              PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(),
-                             REALM=self.realm_name, USER=self.ds_user,
+                             REALM=self.realm_name, USER=PKI_DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
                              TIME=int(time.time()), DSPORT=self.ds_port)
 
     def __create_ds_user(self):
         user_exists = True
         try:
-            pwd.getpwnam(self.ds_user)
-            logging.debug("ds user %s exists" % self.ds_user)
+            pwd.getpwnam(PKI_DS_USER)
+            logging.debug("ds user %s exists" % PKI_DS_USER)
         except KeyError:
             user_exists = False
-            logging.debug("adding ds user %s" % self.ds_user)
-            args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
+            logging.debug("adding ds user %s" % PKI_DS_USER)
+            args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
+                                         "-c", "PKI DS System User",
+                                         "-d", "/var/lib/dirsrv",
+                                         "-s", "/sbin/nologin",
+                                         "-M", "-r", PKI_DS_USER]
             try:
                 ipautil.run(args)
                 logging.debug("done adding user")
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to add user %s" % e)
 
-        self.backup_state("user", self.ds_user)
         self.backup_state("user_exists", user_exists)
 
     def __create_instance(self):
@@ -328,17 +333,15 @@ class CADSInstance(service.Service):
             dsinstance.erase_ds_instance_data(serverid)
 
         self.service_name="pkids"
-        ds_user = self.restore_state("user")
         user_exists = self.restore_state("user_exists")
 
-        if not ds_user is None and not user_exists is None and not user_exists:
+        if user_exists == False:
             try:
-                ipautil.run(["/usr/sbin/userdel", ds_user])
+                ipautil.run(["/usr/sbin/userdel", PKI_DS_USER])
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to delete user %s" % e)
         self.service_name = sav_name
 
-
 class CAInstance(service.Service):
     """
     In the self-signed case the CA exists in the NSS_DB database.
@@ -360,7 +363,6 @@ class CAInstance(service.Service):
     def __init__(self, realm, ra_db):
         service.Service.__init__(self, "pki-cad")
         self.realm = realm
-        self.pki_user = "pkiuser"
         self.dm_password = None
         self.admin_password = None
         self.host_name = None
@@ -389,7 +391,7 @@ class CAInstance(service.Service):
     def __del__(self):
         shutil.rmtree(self.ca_agent_db, ignore_errors=True)
 
-    def configure_instance(self, pki_user, host_name, dm_password,
+    def configure_instance(self, host_name, dm_password,
                            admin_password, ds_port=DEFAULT_DSPORT,
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
@@ -404,7 +406,6 @@ class CAInstance(service.Service):
            chain and actually proceed to create the CA. For step 1 set
            csr_file. For step 2 set cert_file and cert_chain_file.
         """
-        self.pki_user = pki_user
         self.host_name = host_name
         self.dm_password = dm_password
         self.admin_password = admin_password
@@ -484,19 +485,21 @@ class CAInstance(service.Service):
     def __create_ca_user(self):
         user_exists = True
         try:
-            pwd.getpwnam(self.pki_user)
-            logging.debug("ca user %s exists" % self.pki_user)
+            pwd.getpwnam(PKI_USER)
+            logging.debug("ca user %s exists" % PKI_USER)
         except KeyError:
             user_exists = False
-            logging.debug("adding ca user %s" % self.pki_user)
-            args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", "-M", "-r", "-s", "/sbin/nologin", self.pki_user]
+            logging.debug("adding ca user %s" % PKI_USER)
+            args = ["/usr/sbin/useradd", "-c", "CA System User",
+                                         "-d", "/var/lib",
+                                         "-s", "/sbin/nologin",
+                                         "-M", "-r", PKI_USER]
             try:
                 ipautil.run(args)
                 logging.debug("done adding user")
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to add user %s" % e)
 
-        self.backup_state("user", self.pki_user)
         self.backup_state("user_exists", user_exists)
 
     def __configure_instance(self):
@@ -558,7 +561,7 @@ class CAInstance(service.Service):
                 # The install wizard expects the file to be here.
                 cafile = self.pkcs12_info[0]
                 shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
-                pent = pwd.getpwnam(self.pki_user)
+                pent = pwd.getpwnam(PKI_USER)
                 os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
                 args.append("-clone")
                 args.append("true")
@@ -615,7 +618,7 @@ class CAInstance(service.Service):
         # Turn off Nonces (again)
         if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
             raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(self.pki_user)
+        pent = pwd.getpwnam(PKI_USER)
         os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
         # pkisilent makes a copy of the CA PKCS#12 file for us but gives
@@ -934,8 +937,8 @@ class CAInstance(service.Service):
         publishdir='/var/lib/pki-ca/publish'
         os.mkdir(publishdir)
         os.chmod(publishdir, 0755)
-        pent = pwd.getpwnam(self.pki_user)
-        os.chown(publishdir, pent.pw_uid, pent.pw_gid )
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown(publishdir, pent.pw_uid, pent.pw_gid)
 
         # Enable file publishing, disable LDAP
         installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
@@ -994,11 +997,10 @@ class CAInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("failed to uninstall CA instance %s" % e)
 
-        pki_user = self.restore_state("user")
         user_exists = self.restore_state("user_exists")
-        if not pki_user is None and not user_exists is None and not user_exists:
+        if user_exists == False:
             try:
-                ipautil.run(["/usr/sbin/userdel", pki_user])
+                ipautil.run(["/usr/sbin/userdel", PKI_USER])
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to delete user %s" % e)
 
@@ -1013,6 +1015,6 @@ class CAInstance(service.Service):
 if __name__ == "__main__":
     installutils.standard_logging_setup("install.log", False)
     cs = CADSInstance()
-    cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
+    cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password")
     ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
-    ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
+    ca.configure_instance("catest.example.com", "password", "password")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 29950520117f92938621e843c7787ff0346b3508..0a33697d2c6a51f4a8514dbb225bb7f1fea93d62 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -21,7 +21,6 @@
 import shutil
 import logging
 import pwd
-import grp
 import glob
 import sys
 import os
@@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
 CACERT="/etc/ipa/ca.crt"
 
+DS_USER = 'dirsrv'
+DS_GROUP = 'dirsrv'
+
 def find_server_root():
     if ipautil.dir_exists(SERVER_ROOT_64):
         return SERVER_ROOT_64
@@ -176,7 +178,6 @@ class DsInstance(service.Service):
         self.serverid = None
         self.fqdn = None
         self.pkcs12_info = None
-        self.ds_user = None
         self.dercert = None
         self.idstart = None
         self.idmax = None
@@ -223,11 +224,10 @@ class DsInstance(service.Service):
 
         self.step("configuring directory to start on boot", self.__enable)
 
-    def create_instance(self, ds_user, realm_name, fqdn, domain_name,
+    def create_instance(self, realm_name, fqdn, domain_name,
                         dm_password, pkcs12_info=None, self_signed_ca=False,
                         idstart=1100, idmax=999999, subject_base=None,
                         hbac_allow=True):
-        self.ds_user = ds_user
         self.realm_name = realm_name.upper()
         self.serverid = realm_to_serverid(self.realm_name)
         self.suffix = util.realm_to_suffix(self.realm_name)
@@ -256,9 +256,8 @@ class DsInstance(service.Service):
 
         self.start_creation("Configuring directory server", 60)
 
-    def create_replica(self, ds_user, realm_name, master_fqdn, fqdn,
+    def create_replica(self, realm_name, master_fqdn, fqdn,
                        domain_name, dm_password, pkcs12_info=None):
-        self.ds_user = ds_user
         self.realm_name = realm_name.upper()
         self.serverid = realm_to_serverid(self.realm_name)
         self.suffix = util.realm_to_suffix(self.realm_name)
@@ -309,7 +308,7 @@ class DsInstance(service.Service):
         self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
                              PASSWORD=self.dm_password,
                              SUFFIX=self.suffix.lower(),
-                             REALM=self.realm_name, USER=self.ds_user,
+                             REALM=self.realm_name, USER=DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
                              TIME=int(time.time()), IDSTART=self.idstart,
                              IDMAX=self.idmax, HOST=self.fqdn,
@@ -319,27 +318,22 @@ class DsInstance(service.Service):
     def __create_ds_user(self):
         user_exists = True
 	try:
-            pwd.getpwnam(self.ds_user)
-            logging.debug("ds user %s exists" % self.ds_user)
+            pwd.getpwnam(DS_USER)
+            logging.debug("ds user %s exists" % DS_USER)
 	except KeyError:
             user_exists = False
-            logging.debug("adding ds user %s" % self.ds_user)
-            args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
-            try:
-                # if the group already exists we need to request to add it,
-                # otherwise useradd will create it for us
-                grp.getgrnam(self.ds_user)
-                args.append("-g")
-                args.append(self.ds_user)
-            except KeyError:
-                pass
+            logging.debug("adding ds user %s" % DS_USER)
+            args = ["/usr/sbin/useradd", "-g", DS_GROUP,
+                                         "-c", "DS System User",
+                                         "-d", "/var/lib/dirsrv",
+                                         "-s", "/sbin/nologin",
+                                         "-M", "-r", DS_USER]
             try:
                 ipautil.run(args)
                 logging.debug("done adding user")
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to add user %s" % e)
 
-        self.backup_state("user", self.ds_user)
         self.backup_state("user_exists", user_exists)
 
     def __create_instance(self):
@@ -617,12 +611,11 @@ class DsInstance(service.Service):
             dsdb.untrack_server_cert("Server-Cert")
             erase_ds_instance_data(serverid)
 
-        ds_user = self.restore_state("user")
         user_exists = self.restore_state("user_exists")
 
-        if not ds_user is None and not user_exists is None and not user_exists:
+        if user_exists == False:
             try:
-                ipautil.run(["/usr/sbin/userdel", ds_user])
+                ipautil.run(["/usr/sbin/userdel", DS_USER])
             except ipautil.CalledProcessError, e:
                 logging.critical("failed to delete user %s" % e)
 
@@ -686,7 +679,7 @@ class DsInstance(service.Service):
         fd.close()
         for line in lines:
             sline = line.strip()
-            if not sline.startswith(self.ds_user):
+            if not sline.startswith(DS_USER):
                 continue
             if sline.find('nofile') == -1:
                 continue
@@ -711,7 +704,7 @@ class DsInstance(service.Service):
         if need_sysconf and need_limits:
             self.fstore.backup_file("/etc/security/limits.conf")
             fd = open("/etc/security/limits.conf", "a+")
-            fd.write('%s\t\t-\tnofile\t\t%s\n' % (self.ds_user, str(num)))
+            fd.write('%s\t\t-\tnofile\t\t%s\n' % (DS_USER, str(num)))
             fd.close()
 
             fd = open("/etc/sysconfig/dirsrv", "a+")
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9..86804ce086fb7bd7c2bc69d40a7b89320519d25c 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -35,7 +35,7 @@ from ipalib import errors
 
 from ipaserver import ipaldap
 from ipaserver.install import replication
-from ipaserver.install.dsinstance import realm_to_serverid
+from ipaserver.install import dsinstance
 
 import ldap
 from ldap import LDAPError
@@ -78,7 +78,6 @@ class KpasswdInstance(service.SimpleServiceInstance):
 class KrbInstance(service.Service):
     def __init__(self, fstore=None):
         service.Service.__init__(self, "krb5kdc")
-        self.ds_user = None
         self.fqdn = None
         self.realm = None
         self.domain = None
@@ -124,8 +123,7 @@ class KrbInstance(service.Service):
         host_entry.setValue('managedby', host_dn)
         self.admin_conn.addEntry(host_entry)
 
-    def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password):
-        self.ds_user = ds_user
+    def __common_setup(self, realm_name, host_name, domain_name, admin_password):
         self.fqdn = host_name
         self.realm = realm_name.upper()
         self.host = host_name.split(".")[0]
@@ -152,13 +150,13 @@ class KrbInstance(service.Service):
         self.step("starting the KDC", self.__start_instance)
         self.step("configuring KDC to start on boot", self.__enable)
 
-    def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
+    def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
         self.master_password = master_password
         self.pkcs12_info = pkcs12_info
         self.self_signed_ca = self_signed_ca
         self.subject_base = subject_base
 
-        self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
+        self.__common_setup(realm_name, host_name, domain_name, admin_password)
 
         self.step("setting KDC account password", self.__configure_kdc_account_password)
         self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
@@ -183,7 +181,7 @@ class KrbInstance(service.Service):
         self.kpasswd = KpasswdInstance()
         self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
 
-    def create_replica(self, ds_user, realm_name,
+    def create_replica(self, realm_name,
                        master_fqdn, host_name,
                        domain_name, admin_password,
                        ldap_passwd_filename, kpasswd_filename,
@@ -196,7 +194,7 @@ class KrbInstance(service.Service):
         self.__copy_kpasswd_keytab(kpasswd_filename)
         self.master_fqdn = master_fqdn
 
-        self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
+        self.__common_setup(realm_name, host_name, domain_name, admin_password)
 
         self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
         self.step("writing stash file from DS", self.__write_stash_from_ds)
@@ -256,7 +254,7 @@ class KrbInstance(service.Service):
                              SUFFIX=self.suffix,
                              DOMAIN=self.domain,
                              HOST=self.host,
-                             SERVER_ID=realm_to_serverid(self.realm),
+                             SERVER_ID=dsinstance.realm_to_serverid(self.realm),
                              REALM=self.realm)
 
     def __configure_sasl_mappings(self):
@@ -492,7 +490,7 @@ class KrbInstance(service.Service):
         installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
 
         update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
-        pent = pwd.getpwnam(self.ds_user)
+        pent = pwd.getpwnam(dsinstance.DS_USER)
         os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
 
     def __create_host_keytab(self):
-- 
1.7.3.5

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to