Hi,

this patch fixes https://fedorahosted.org/freeipa/ticket/3147 by adding
the default fallback group with an LDIF file instead of using the
framework.

bye,
Sumit
From 2cd6a4e0f93c34df60a221ea7e96a5c2735ece4d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 8 Oct 2012 10:44:07 +0200
Subject: [PATCH] ipa-adtrust-install: create fallback group with ldif file

Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.

Fixes https://fedorahosted.org/freeipa/ticket/3147
---
 install/share/Makefile.am            |  1 +
 install/share/default-smb-group.ldif |  8 +++++++
 ipaserver/install/adtrustinstance.py | 41 ++++++++++--------------------------
 3 Dateien geändert, 20 Zeilen hinzugefügt(+), 30 Zeilen entfernt(-)
 create mode 100644 install/share/default-smb-group.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 
03fef9a66f2f4c64e5685d4947c6f9139ac69ad0..23cd766a5a82ca514ffff9ebad82e0ee7db9ae77
 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ app_DATA =                            \
        caJarSigningCert.cfg.template   \
        default-aci.ldif                \
        default-hbac.ldif               \
+       default-smb-group.ldif          \
        delegation.ldif                 \
        replica-acis.ldif               \
        ds-nfiles.ldif                  \
diff --git a/install/share/default-smb-group.ldif 
b/install/share/default-smb-group.ldif
new file mode 100644
index 
0000000000000000000000000000000000000000..8d89f67cc7d8be66375c9accb038b3c20a4d4be4
--- /dev/null
+++ b/install/share/default-smb-group.ldif
@@ -0,0 +1,8 @@
+dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+cn: Default SMB Group
+description: Fallback group for primary group RID, do not add user to this 
group
+gidnumber: 999
+objectclass: top
+objectclass: ipaobject
+objectclass: posixgroup
diff --git a/ipaserver/install/adtrustinstance.py 
b/ipaserver/install/adtrustinstance.py
index 
3f3924eb3ce9f56ac66407347645c40f96eb6430..41030223d1f644ba6a6557ac90d8f518fcba9c29
 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,7 +22,6 @@ import errno
 import ldap
 import tempfile
 import uuid
-import krbV
 from ipaserver import ipaldap
 from ipaserver.install import installutils
 from ipaserver.install import service
@@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service):
     OBJC_USER = "ipaNTUserAttrs"
     OBJC_GROUP = "ipaNTGroupAttrs"
     OBJC_DOMAIN = "ipaNTDomainAttrs"
-    FALLBACK_GROUP_NAME = u'Default_SMB_Group'
+    FALLBACK_GROUP_NAME = u'Default SMB Group'
 
     def __init__(self, fstore=None):
         self.fqdn = None
@@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service):
         """
 
         self.ldap_connect()
-        try:
-            ctx = krbV.default_context()
-            ccache = ctx.default_ccache()
-        except krbV.Krb5Error, e:
-            self.print_msg("Must have Kerberos credentials to setup " \
-                           "AD trusts on server")
-            return
-
-        try:
-            api.Backend.ldap2.disconnect()
-            api.Backend.ldap2.connect(ccache.name)
-        except errors.ACIError, e:
-            self.print_msg("Outdated Kerberos credentials. " \
-                           "Use kdestroy and kinit to update your ticket")
-            return
-        except errors.DatabaseError, e:
-            self.print_msg("Cannot connect to the LDAP database. " \
-                           "Please check if IPA is running")
-            return
 
         try:
             dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
@@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service):
             self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
         except errors.NotFound:
             try:
-                fallback = api.Command['group_add'](self.FALLBACK_GROUP_NAME,
-                                           description= u'Fallback group for ' 
\
-                                                         'primary group RID, ' 
\
-                                                         'do not add user to ' 
\
-                                                         'this group',
-                                           nonposix=False)
-                fb_group_dn = fallback['result']['dn']
+                self._ldap_mod('default-smb-group.ldif', self.sub_dict)
             except Exception, e:
                 self.print_msg("Failed to add fallback group.")
                 raise e
 
+        # _ldap_mod does not return useful error codes, so we must check again
+        # if the fallback group was created properly.
         try:
-            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
-                    fallback['result']['dn'])]
+            self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
+        except errors.NotFound:
+                self.print_msg("Failed to add fallback group.")
+                return
+
+        try:
+            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
             self.admin_conn.modify_s(self.smb_dom_dn, mod)
         except:
             self.print_msg("Failed to add fallback group to domain object")
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to