Hi, when adding AD trusts support, we need to ensure we have valid kerberos ticket of the user from 'admins' group or otherwise appropriate ACIs will not be granted.
This patch introduces a check for that. We already check if ipa-adtrust-install is run by root so this complements existing checks. https://fedorahosted.org/freeipa/ticket/2815 -- / Alexander Bokovoy
>From 4a439e86c26f7a640063d4b20beaf35e6a2967c9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Fri, 13 Jul 2012 18:12:48 +0300 Subject: [PATCH 2/2] Ensure ipa-adtrust-install is run with Kerberos ticket for admin user When setting up AD trusts support, ipa-adtrust-install utility needs to be run as: - root, for performing Samba configuration - kinit-ed IPA admin user, to ensure proper ACIs are granted https://fedorahosted.org/freeipa/ticket/2815 --- install/tools/ipa-adtrust-install | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 6678018e6346d75d5042894cfb833d38079d3f21..d03657118995022cbf1c34149bc5528a628a71ea 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -86,6 +86,29 @@ def read_netbios_name(netbios_default): return netbios_name +def ensure_kerberos_admin_rights(api): + try: + ctx = krbV.default_context() + ccache = ctx.default_ccache() + principal = ccache.principal() + api.Backend.ldap2.connect(ccache.name) + user = api.Command.user_show(unicode(principal[0]))['result'] + group = api.Command.group_show(u'admins')['result'] + api.Backend.ldap2.disconnect() + if not (user['uid'][0] in group['member_user'] and + group['cn'][0] in user['memberof_group']): + raise errors.RequirementError(name='admins group membership') + except Exception, e: + error_messages = dict( + Krb5Error = "Must have Kerberos credentials to setup AD trusts on server", + RequirementError = "Must have administrative privileges to setup AD trusts on server" + ) + name = type(e).__name__ + if name in error_messages: + sys.exit(error_messages[name]) + else: + sys.exit("Unrecognized error during check of admin rights: %s" % (str(e))) + def main(): safe_options, options = parse_options() @@ -128,6 +151,8 @@ def main(): api.bootstrap(**cfg) api.finalize() + ensure_kerberos_admin_rights(api) + if adtrustinstance.ipa_smb_conf_exists(): if not options.unattended: while True: -- 1.7.10.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel