On 23.9.2015 12:49, Christian Heimes wrote:
On 2015-09-23 12:40, Jan Cholasta wrote:
On 23.9.2015 11:44, Christian Heimes wrote:
On 2015-09-23 10:54, Jan Cholasta wrote:
Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?

Fixed, patch attached.

I haven't tested the patch yet. It looks like the kdcproxy user doesn't
own its home directory. Please chown /var/lib/kdcproxy.

I can't chown it because the user may not exist at RPM install time. It
doesn't matter anyway, since nothing is ever stored in the directory and
KDC proxy works just fine. The same thing is done for the DS user and
nobody complained so far, so I assumed it should be OK for KDC proxy as
well.

I think we have a slight misunderstanding here. :) Of course you can't
set the owner at RPM install time. I wasn't talking about chown-ing the
directory in RPM, but chown-ing the directory after or inside the
tasks.create_system_user() call. Sorry for the confusion!

AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
directory. It's not guaranteed for eternity, though.

OK. Updated patch attached. Added patch 496, please apply before 495.

--
Jan Cholasta
From 2877e9a98423fd4b66834f2c71dd47c32a6d4f45 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 23 Sep 2015 13:09:44 +0200
Subject: [PATCH 1/2] platform: add option to create home directory when adding
 user

https://fedorahosted.org/freeipa/ticket/5314
---
 ipaplatform/base/tasks.py   | 8 ++++++--
 ipaplatform/redhat/tasks.py | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 6571514..573287c 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -184,7 +184,7 @@ class BaseTaskNamespace(object):
 
         return
 
-    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
         """Create a system user with a corresponding group"""
         try:
             grp.getgrnam(group)
@@ -211,12 +211,16 @@ class BaseTaskNamespace(object):
                 '-g', group,
                 '-d', homedir,
                 '-s', shell,
-                '-M', '-r', name,
+                '-r', name,
             ]
             if uid:
                 args += ['-u', str(uid)]
             if comment:
                 args += ['-c', comment]
+            if create_homedir:
+                args += ['-m']
+            else:
+                args += ['-M']
             try:
                 ipautil.run(args)
                 log.debug('Done adding user')
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 3b522b0..dd614c9 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -400,7 +400,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
         return True
 
-    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
         """
         Create a system user with a corresponding group
 
@@ -421,7 +421,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
                 comment = 'DS System User'
 
         super(RedHatTaskNamespace, self).create_system_user(name, group,
-            homedir, shell, uid, gid, comment)
+            homedir, shell, uid, gid, comment, create_homedir)
 
 
 tasks = RedHatTaskNamespace()
-- 
2.4.3

From e87cb5acc9556ab7ead897c8d112da576be848ed Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 23 Sep 2015 10:35:06 +0200
Subject: [PATCH 2/2] install: fix kdcproxy user home directory

https://fedorahosted.org/freeipa/ticket/5314
---
 freeipa.spec.in                   | 2 +-
 ipaplatform/base/paths.py         | 1 +
 ipaserver/install/httpinstance.py | 4 +++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7a199a5..36179c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -482,7 +482,6 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
-mkdir -p %{buildroot}%{kdcproxy_home}
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 
@@ -714,6 +713,7 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 97c330c..215caf9 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -286,6 +286,7 @@ class BasePathNamespace(object):
     REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
     SYSRESTORE = "/var/lib/ipa/sysrestore"
     STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
+    VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
     VAR_LIB_PKI_DIR = "/var/lib/pki"
     VAR_LIB_PKI_CA_DIR = "/var/lib/pki-ca"
     PKI_ALIAS_CA_P12 = "/var/lib/pki-ca/alias/ca.p12"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7358511..4269d36 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -85,8 +85,10 @@ def create_kdcproxy_user():
     tasks.create_system_user(
         name=KDCPROXY_USER,
         group=KDCPROXY_USER,
-        homedir=paths.VAR_LIB,
+        homedir=paths.VAR_LIB_KDCPROXY,
         shell=paths.NOLOGIN,
+        comment="IPA KDC Proxy User",
+        create_homedir=True,
     )
 
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to