Hi,

the following patchset contains fixes for https://fedorahosted.org/freeipa/ticket/3479 .


With it applied, you should be able to establish a trust on a reinstalled IPA master that had a trust established.

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From b82d5f8194338c28b8be9f33cd2bbbd85fa1ef86 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 9 Oct 2013 12:23:18 +0200
Subject: [PATCH 114/117] ipa-upgradeconfig: Remove backed up smb.conf

Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.

This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.

Part of: https://fedorahosted.org/freeipa/ticket/3479
---
 install/tools/ipa-upgradeconfig      | 14 ++++++++++++++
 ipaserver/install/adtrustinstance.py | 15 ++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 1edc4c7bfe6d517b8c8d4dc786f707cfba9fa222..2ee5983226789511b44cd08ffa34e0ff93ff06a3 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -291,6 +291,19 @@ def cleanup_kdc(fstore):
             fstore.untrack_file(filename)
             root_logger.debug('Uninstalling %s', filename)
 
+def cleanup_adtrust(fstore):
+    """
+    Clean up any old Samba backup files that were deprecated.
+    """
+
+    root_logger.info('[Checking for deprecated backups of Samba '
+                     'configuration files]')
+
+    for backed_up_file in ['/etc/samba/smb.conf']:
+        if fstore.has_file(backed_up_file):
+            fstore.untrack_file(backed_up_file)
+            root_logger.debug('Removing %s from backup', backed_up_file)
+
 
 def setup_firefox_extension(fstore):
     """Set up the Firefox configuration extension, if it's not set up yet
@@ -1061,6 +1074,7 @@ def main():
             pass
 
     cleanup_kdc(fstore)
+    cleanup_adtrust(fstore)
     setup_firefox_extension(fstore)
     add_ca_dns_records()
 
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index b3046386b8ca56e84009ece09658e7c6cdf8cfca..140c8d7695ac78d545ec2ad7a3aa20240a5f787f 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -365,8 +365,6 @@ class ADTRUSTInstance(service.Service):
         self.admin_conn.add_entry(entry)
 
     def __write_smb_conf(self):
-        self.fstore.backup_file(self.smb_conf)
-
         conf_fd = open(self.smb_conf, "w")
         conf_fd.write('### Added by IPA Installer ###\n')
         conf_fd.write('[global]\n')
@@ -863,18 +861,17 @@ class ADTRUSTInstance(service.Service):
         except:
             pass
 
-        for r_file in [self.smb_conf]:
-            try:
-                self.fstore.restore_file(r_file)
-            except ValueError, error:
-                root_logger.debug(error)
-                pass
+        # Since we do not guarantee restoring back to working samba state,
+        # we should not restore smb.conf
+
+        # Restore the state of affected selinux booleans
 
         for var in self.selinux_booleans:
             sebool_state = self.restore_state(var)
             if not sebool_state is None:
                 try:
-                    ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+                    ipautil.run(["/usr/sbin/setsebool",
+                                 "-P", var, sebool_state])
                 except:
                     self.print_msg(SELINUX_WARNING % dict(var=var))
 
-- 
1.8.3.1

From f48b7fdeef8cec0d8a21b5f828e7d183910dd60b Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 9 Oct 2013 12:52:33 +0200
Subject: [PATCH 115/117] ipa-adtrust-install: Add warning that we will break
 existing samba configuration

In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install,
print a warning that we will break existing samba configuration and ask for
a confirmation in the interactive mode.

Part of: https://fedorahosted.org/freeipa/ticket/3479
---
 install/tools/ipa-adtrust-install | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 2af2df92f341a70a6650e14ccc6e4593eac11b76..badb483ad27a91764561c7854f276a709686ec99 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -264,13 +264,25 @@ def main():
                                       allow_empty = False):
                 sys.exit("Aborting installation.")
 
+    # Check if /etc/samba/smb.conf already exists. In case it was not generated
+    # by IPA, print a warning that we will break existing configuration.
+
     if adtrustinstance.ipa_smb_conf_exists():
         if not options.unattended:
-            while True:
                 print "IPA generated smb.conf detected."
-                if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False):
+                if not ipautil.user_input("Overwrite smb.conf?",
+                                          default = False,
+                                          allow_empty = False):
                     sys.exit("Aborting installation.")
-                break
+
+    elif os.path.exists('/etc/samba/smb.conf'):
+        print("WARNING: The smb.conf already exists. Running ipa-adtrust-install
+              "will break your existing samba configuration.\n\n")
+        if not options.unattended:
+            if not ipautil.user_input("Do you wish to continue?",
+                                      default = False,
+                                      allow_empty = False):
+                sys.exit("Aborting installation.")
 
     if not options.unattended and not options.enable_compat:
         options.enable_compat = enable_compat_tree()
-- 
1.8.3.1

From e7bb84ee5a44799988c2b8de698674d12b124f81 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 9 Oct 2013 13:20:13 +0200
Subject: [PATCH 116/117] adtrustinstance: Properly handle uninstall of AD
 trust instance

The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.

This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.

The following steps are undertaken:
  * Remove /var/run/samba/krb5cc_samba
  * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
  * Remove /var/lib/samba/*.tdb files

Additionally, we make sure winbind service is stopped from within the
stop() method.

Part of: https://fedorahosted.org/freeipa/ticket/3479
---
 install/tools/ipa-adtrust-install    |  5 ++--
 install/tools/ipa-server-install     |  2 ++
 ipaserver/install/adtrustinstance.py | 51 ++++++++++++++++++++++++++----------
 3 files changed, 42 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index badb483ad27a91764561c7854f276a709686ec99..b2bca0b917e5ace25111b631bbabcaf005fe4a2e 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -276,8 +276,9 @@ def main():
                     sys.exit("Aborting installation.")
 
     elif os.path.exists('/etc/samba/smb.conf'):
-        print("WARNING: The smb.conf already exists. Running ipa-adtrust-install
-              "will break your existing samba configuration.\n\n")
+        print("WARNING: The smb.conf already exists. Running "
+              "ipa-adtrust-instal will break your existing samba "
+              "configuration.\n\n")
         if not options.unattended:
             if not ipautil.user_input("Do you wish to continue?",
                                       default = False,
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8077bc207fd2cd48846f7c6fdb2bff14505dc10c..1c76470dfeb1f511f5054e23b24b4ba007b7b451 100644
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -40,6 +40,7 @@ import pwd
 import textwrap
 from optparse import OptionGroup, OptionValueError
 
+from ipaserver.install import adtrustinstance
 from ipaserver.install import dsinstance
 from ipaserver.install import krbinstance
 from ipaserver.install import bindinstance
@@ -495,6 +496,7 @@ def uninstall():
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
     dsinstance.DsInstance(fstore=fstore).uninstall()
+    adtrustinstance.ADTRUSTInstance(fstore).uninstall()
     memcacheinstance.MemcacheInstance().uninstall()
     otpdinstance.OtpdInstance().uninstall()
     ipaservices.restore_network_configuration(fstore, sstore)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 140c8d7695ac78d545ec2ad7a3aa20240a5f787f..e817197a15de7007f68fa8cdd518f8b76442699c 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,6 +27,7 @@ import struct
 import re
 
 from ipaserver.install import service
+from ipaserver.install import installutils
 from ipaserver.install.dsinstance import realm_to_serverid
 from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
                                            dns_zone_exists
@@ -473,26 +474,31 @@ class ADTRUSTInstance(service.Service):
                     member=[self.cifs_agent],
                 )
                 self.admin_conn.add_entry(entry)
-        except Exception, e:
-            # CIFS principal already exists, it is not the first time adtrustinstance is managed
+        except Exception:
+            # CIFS principal already exists, it is not the first time
+            # adtrustinstance is managed
             # That's fine, we we'll re-extract the key again.
             pass
 
-        samba_keytab = "/etc/samba/samba.keytab"
-        if os.path.exists(samba_keytab):
+        self.clean_samba_keytab()
+
+        try:
+            ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
+                                          "--principal", self.cifs_principal,
+                                          "-k", self.samba_keytab])
+        except ipautil.CalledProcessError:
+            root_logger.critical("Failed to add key for %s"
+                                 % self.cifs_principal)
+
+    def clean_samba_keytab(self):
+        if os.path.exists(self.samba_keytab):
             try:
                 ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal,
-                                         "-k", samba_keytab])
+                                         "-k", self.samba_keytab])
             except ipautil.CalledProcessError, e:
                 if e.returncode != 5:
-                    root_logger.critical("Failed to remove old key for %s" % self.cifs_principal)
-
-        try:
-            ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
-                                          "--principal", self.cifs_principal,
-                                          "-k", samba_keytab])
-        except ipautil.CalledProcessError, e:
-            root_logger.critical("Failed to add key for %s" % self.cifs_principal)
+                    root_logger.critical("Failed to remove old key for %s"
+                                         % self.cifs_principal)
 
     def srv_rec(self, host, port, prio):
         return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
@@ -693,6 +699,7 @@ class ADTRUSTInstance(service.Service):
     def __stop(self):
         self.backup_state("running", self.is_running())
         try:
+            ipaservices.service('winbind').stop()
             self.stop()
         except:
             pass
@@ -750,6 +757,7 @@ class ADTRUSTInstance(service.Service):
                             realm_to_serverid(self.realm)
 
         self.smb_conf = "/etc/samba/smb.conf"
+        self.samba_keytab = "/etc/samba/samba.keytab"
 
         self.smb_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
                          ('cn', 'etc'), self.suffix)
@@ -865,7 +873,6 @@ class ADTRUSTInstance(service.Service):
         # we should not restore smb.conf
 
         # Restore the state of affected selinux booleans
-
         for var in self.selinux_booleans:
             sebool_state = self.restore_state(var)
             if not sebool_state is None:
@@ -875,6 +882,22 @@ class ADTRUSTInstance(service.Service):
                 except:
                     self.print_msg(SELINUX_WARNING % dict(var=var))
 
+        # Remove samba's credentials cache
+        krb5cc_samba = '/var/run/samba/krb5cc_samba'
+        installutils.remove_file(krb5cc_samba)
+
+        # Remove samba's configuration file
+        installutils.remove_file(self.smb_conf)
+
+        # Remove samba's persistent and temporary tdb files
+        tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/")
+                                           if tdb_file.endswith(".tdb")]
+        for tdb_file in tdb_files:
+            installutils.remove_file(tdb_file)
+
+        # Remove our keys from samba's keytab
+        self.clean_samba_keytab()
+
         if not enabled is None and not enabled:
             self.disable()
 
-- 
1.8.3.1

From 2f0262b00cf697dc0bfb65fc684579523c9fe406 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 9 Oct 2013 15:45:49 +0200
Subject: [PATCH 117/117] adtrustinstance: Move attribute definitions from
 setup to init method

Majority of the attributes set in the setup method can be set in the
__init__ method where they are actually defined (and set to None).

This is true for attributes that hold constant values and for
attributes that have their values derived from api.env dictionary.

Creates a new __setup_default_attributes method, that is called
from within __init__ and setup (in case the passed values for
hostname or domain do not correspond to that what is set in api.env,
doing otherwise could cause unexpected behaviour).

Part of: https://fedorahosted.org/freeipa/ticket/3479
---
 ipaserver/install/adtrustinstance.py | 78 ++++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 29 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index e817197a15de7007f68fa8cdd518f8b76442699c..6a1ede0d7eb46a824d6e9eaf7ad1226120d08809 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -110,36 +110,72 @@ class ADTRUSTInstance(service.Service):
     FALLBACK_GROUP_NAME = u'Default SMB Group'
 
     def __init__(self, fstore=None):
-        self.fqdn = None
         self.ip_address = None
-        self.realm = None
-        self.domain_name = None
         self.netbios_name = None
         self.reset_netbios_name = None
         self.no_msdcs = None
         self.add_sids = None
         self.smbd_user = None
-        self.suffix = DN()
-        self.ldapi_socket = None
-        self.smb_conf = None
-        self.smb_dn = None
         self.smb_dn_pwd = None
         self.trust_dn = None
         self.smb_dom_dn = None
         self.sub_dict = None
-        self.cifs_principal = None
-        self.cifs_agent = None
-        self.selinux_booleans = None
         self.rid_base = None
         self.secondary_rid_base = None
 
-        service.Service.__init__(self, "smb", service_desc="CIFS", dm_password=None, ldapi=True)
+        self.fqdn = None
+        self.realm = None
+        self.domain_name = None
+
+        service.Service.__init__(self, "smb", service_desc="CIFS",
+                                 dm_password=None, ldapi=True)
 
         if fstore:
             self.fstore = fstore
         else:
             self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
+        self.__setup_default_attributes()
+
+    def __setup_default_attributes(self):
+        """
+        This method setups default attributes that are either constants, or
+        based on api.env attributes, such as realm, hostname or domain name.
+        """
+
+        # Constants
+        self.smb_conf = "/etc/samba/smb.conf"
+        self.samba_keytab = "/etc/samba/samba.keytab"
+        self.selinux_booleans = ["samba_portmapper"]
+        self.cifs_hosts = []
+
+        # Values obtained from API.env
+        self.fqdn = self.fqdn or api.env.host
+        self.realm = self.realm or api.env.realm
+        self.domain_name = self.domain_name or api.env.domain
+
+        self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm
+        self.suffix = ipautil.realm_to_suffix(self.realm)
+        self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
+                            realm_to_serverid(self.realm)
+
+        # DN definitions
+        self.trust_dn = DN(api.env.container_trusts, self.suffix)
+
+        self.smb_dn = DN(('cn', 'adtrust agents'),
+                         ('cn', 'sysaccounts'),
+                         ('cn', 'etc'),
+                         self.suffix)
+
+        self.smb_dom_dn = DN(('cn', self.domain_name),
+                             api.env.container_cifsdomains,
+                             self.suffix)
+
+        self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()),
+                             api.env.container_service,
+                             self.suffix)
+
+
     def __gen_sid_string(self):
         sub_ids = struct.unpack("<LLL", os.urandom(12))
         return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2])
@@ -752,25 +788,9 @@ class ADTRUSTInstance(service.Service):
         self.add_sids = add_sids
         self.enable_compat = enable_compat
         self.smbd_user = smbd_user
-        self.suffix = ipautil.realm_to_suffix(self.realm)
-        self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
-                            realm_to_serverid(self.realm)
 
-        self.smb_conf = "/etc/samba/smb.conf"
-        self.samba_keytab = "/etc/samba/samba.keytab"
-
-        self.smb_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
-                         ('cn', 'etc'), self.suffix)
-
-        self.trust_dn = DN(api.env.container_trusts, self.suffix)
-        self.smb_dom_dn = DN(('cn', self.domain_name),
-                             api.env.container_cifsdomains, self.suffix)
-        self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm
-        self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()),
-                             api.env.container_service,
-                             self.suffix)
-        self.selinux_booleans = ["samba_portmapper"]
-        self.cifs_hosts = list()
+        # Setup constants and attributes derived from the values above
+        self.__setup_default_attributes()
 
         self.__setup_sub_dict()
 
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to