Hi,

when adding AD trusts support, we need to ensure we have valid kerberos
ticket of the user from 'admins' group or otherwise appropriate ACIs
will not be granted.

This patch introduces a check for that. We already check if
ipa-adtrust-install is run by root so this complements existing checks.

https://fedorahosted.org/freeipa/ticket/2815
--
/ Alexander Bokovoy
>From 4a439e86c26f7a640063d4b20beaf35e6a2967c9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Jul 2012 18:12:48 +0300
Subject: [PATCH 2/2] Ensure ipa-adtrust-install is run with Kerberos ticket
 for admin user

When setting up AD trusts support, ipa-adtrust-install utility
needs to be run as:
   - root, for performing Samba configuration
   - kinit-ed IPA admin user, to ensure proper ACIs are granted

https://fedorahosted.org/freeipa/ticket/2815
---
 install/tools/ipa-adtrust-install |   25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/install/tools/ipa-adtrust-install 
b/install/tools/ipa-adtrust-install
index 
6678018e6346d75d5042894cfb833d38079d3f21..d03657118995022cbf1c34149bc5528a628a71ea
 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -86,6 +86,29 @@ def read_netbios_name(netbios_default):
 
     return netbios_name
 
+def ensure_kerberos_admin_rights(api):
+    try:
+        ctx = krbV.default_context()
+        ccache = ctx.default_ccache()
+        principal = ccache.principal()
+        api.Backend.ldap2.connect(ccache.name)
+        user = api.Command.user_show(unicode(principal[0]))['result']
+        group = api.Command.group_show(u'admins')['result']
+        api.Backend.ldap2.disconnect()
+        if not (user['uid'][0] in group['member_user'] and
+                group['cn'][0] in user['memberof_group']):
+            raise errors.RequirementError(name='admins group membership')
+    except Exception, e:
+        error_messages = dict(
+           Krb5Error = "Must have Kerberos credentials to setup AD trusts on 
server",
+           RequirementError = "Must have administrative privileges to setup AD 
trusts on server"
+        )
+        name = type(e).__name__
+        if name in error_messages:
+            sys.exit(error_messages[name])
+        else:
+            sys.exit("Unrecognized error during check of admin rights: %s" % 
(str(e)))
+
 def main():
     safe_options, options = parse_options()
 
@@ -128,6 +151,8 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
+    ensure_kerberos_admin_rights(api)
+
     if adtrustinstance.ipa_smb_conf_exists():
         if not options.unattended:
             while True:
-- 
1.7.10.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to