Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5314>.

Honza

--
Jan Cholasta
From 6853b55e7c072737c4e8e83a5dc1cca958ac08ae Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 21 Sep 2015 10:09:50 +0200
Subject: [PATCH] install: create kdcproxy user during server install

This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.

https://fedorahosted.org/freeipa/ticket/5314
---
 freeipa.spec.in                     | 12 ------------
 ipaserver/install/httpinstance.py   | 14 ++++++++++++++
 ipaserver/install/ipa_restore.py    |  4 +++-
 ipaserver/install/server/upgrade.py |  1 +
 4 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ab8af30..7a199a5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,10 +24,6 @@
 
 %define _hardened_build 1
 
-%define kdcproxy_user kdcproxy
-%define kdcproxy_group kdcproxy
-%define kdcproxy_home %{_sharedstatedir}/kdcproxy
-
 Name:           freeipa
 Version:        __VERSION__
 Release:        __RELEASE__%{?dist}
@@ -583,13 +579,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
-# create kdcproxy user
-getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
-getent passwd %{kdcproxy_user} >/dev/null || \
-    /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
-    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
-exit 0
-
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
     if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -726,7 +715,6 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
-%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 9354a22..7358511 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -51,6 +51,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_run_ipa='on',
 )
 
+KDCPROXY_USER = 'kdcproxy'
+
 
 def httpd_443_configured():
     """
@@ -77,6 +79,17 @@ def httpd_443_configured():
 
     return False
 
+
+def create_kdcproxy_user():
+    """Create KDC proxy user/group if it doesn't exist yet."""
+    tasks.create_system_user(
+        name=KDCPROXY_USER,
+        group=KDCPROXY_USER,
+        homedir=paths.VAR_LIB,
+        shell=paths.NOLOGIN,
+    )
+
+
 class WebGuiInstance(service.SimpleServiceInstance):
     def __init__(self):
         service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -141,6 +154,7 @@ class HTTPInstance(service.Service):
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
         if not self.is_kdcproxy_configured():
+            self.step("create KDC proxy user", create_kdcproxy_user)
             self.step("create KDC proxy config", self.create_kdcproxy_conf)
             self.step("enable KDC proxy", self.enable_kdcproxy)
         self.step("restarting httpd", self.__start)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index b7af88d..6f24a48 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -370,6 +370,7 @@ class Restore(admintool.AdminTool):
 
                 self.restore_selinux_booleans()
 
+            http = httpinstance.HTTPInstance()
 
             # We do either a full file restore or we restore data.
             if restore_type == 'FULL':
@@ -381,6 +382,8 @@ class Restore(admintool.AdminTool):
                 self.cert_restore()
                 if 'CA' in self.backup_services:
                     self.__create_dogtag_log_dirs()
+                if http.is_kdcproxy_configured():
+                    httpinstance.create_kdcproxy_user()
 
             # Always restore the data from ldif
             # If we are restoring PKI-IPA then we need to restore the
@@ -409,7 +412,6 @@ class Restore(admintool.AdminTool):
                 self.log.info('Restarting SSSD')
                 sssd = services.service('sssd')
                 sssd.restart()
-                http = httpinstance.HTTPInstance()
                 http.remove_httpd_ccache()
         finally:
             try:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 571e71b..4df6219 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1445,6 +1445,7 @@ def upgrade_configuration():
             http.realm = api.env.realm
             http.suffix = ipautil.realm_to_suffix(api.env.realm)
             http.ldap_connect()
+        httpinstance.create_kdcproxy_user()
         http.create_kdcproxy_conf()
         http.enable_kdcproxy()
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to