This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and 06d945a04607dc36e25af78688b4295420489fb9 responsible for https://fedorahosted.org/freeipa/ticket/5996

This should unblock replica promotion.

--
Martin^3 Babinsky
From ff2e26a41189d4192255e5244b5a5cb993b9b258 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 24 Jun 2016 14:31:31 +0200
Subject: [PATCH]  IPA API: Do not force setting krbCanonicalName on newly
 created entries

Commit 705f66f7490c64de1adc129221b31927616c485d forces unconditional setting
of krbCanonicaName attribute when adding new users, hosts, and services
through management framework. This may not always be desirable and can even
break replica promotion as the member of ipaservers group cannot create its
service principals due to misssing ACIs on master.

It is better to handle krbCanonicalName only during modification of entries
via API and let their creation be backwards compatible with previous IPA
servers.

Creation of entries by other means (e.g. kadmin.local) is done using
root/Directory Manager privileges so they are not subject to ACI evaluation.

This patch revert this commit and commit
06d945a04607dc36e25af78688b4295420489fb9 modifying tests.

https://fedorahosted.org/freeipa/ticket/5996
---
 ipalib/util.py                                   | 11 -----------
 ipaserver/plugins/baseuser.py                    |  2 --
 ipaserver/plugins/host.py                        |  2 --
 ipaserver/plugins/service.py                     | 10 ++++++++--
 ipaserver/plugins/stageuser.py                   |  3 ---
 ipatests/test_xmlrpc/objectclasses.py            |  1 +
 ipatests/test_xmlrpc/test_host_plugin.py         |  1 -
 ipatests/test_xmlrpc/test_service_plugin.py      |  9 ++-------
 ipatests/test_xmlrpc/test_user_plugin.py         |  1 -
 ipatests/test_xmlrpc/tracker/host_plugin.py      |  4 +---
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py |  5 +----
 ipatests/test_xmlrpc/tracker/user_plugin.py      |  5 ++---
 12 files changed, 15 insertions(+), 39 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 67865eb04e85ffaf34475f0324cc9cc0703cf45b..8435f7ab6e8fd66caacb1641a4ef5409382637c5 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -901,14 +901,3 @@ def validate_bind_forwarder(ugettext, forwarder):
             return _('%(port)s is not a valid port' % dict(port=port))
 
     return None
-
-
-def set_krbcanonicalname(entry_attrs):
-    objectclasses = set(i.lower() for i in entry_attrs['objectclass'])
-
-    if 'krbprincipalaux' not in objectclasses:
-        return
-
-    if ('krbprincipalname' in entry_attrs
-            and 'krbcanonicalname' not in entry_attrs):
-        entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname']
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 7bb2e8a6360a6d04eaf0390239eafa0763f9d57c..bbea403d9782fcbe486af07215ad67ee83eb9b58 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -39,7 +39,6 @@ from ipalib.util import (
     remove_sshpubkey_from_output_post,
     remove_sshpubkey_from_output_list_post,
     add_sshpubkey_to_attrs_pre,
-    set_krbcanonicalname
 )
 
 if six.PY3:
@@ -498,7 +497,6 @@ class baseuser_add(LDAPCreate):
     def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                             **options):
         assert isinstance(dn, DN)
-        set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 0072431de3f130d09066100f12d9fcb34e9fb96b..919927c3dd4828810131f1ce7748a15064b1566b 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -50,7 +50,6 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     remove_sshpubkey_from_output_list_post,
     normalize_hostname,
     hostname_validator,
-    set_krbcanonicalname
 )
 from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
 from ipapython.dnsutil import DNSName
@@ -633,7 +632,6 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipalaux')
             if 'krbprincipal' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbprincipal')
-            set_krbcanonicalname(entry_attrs)
         else:
             if 'krbprincipalaux' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipalaux')
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cb9952d4479a543321999269cb4bd6ace0714436..24031eb429c1946f2ec730683f46c9cef35910ed 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -576,8 +576,14 @@ class service_add(LDAPCreate):
         if not 'managedby' in entry_attrs:
             entry_attrs['managedby'] = hostresult['dn']
 
-        # set krbcanonicalname attribute to enable principal canonicalization
-        util.set_krbcanonicalname(entry_attrs)
+        # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
+        # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
+        # schema
+        entry_attrs['ipakrbprincipalalias'] = keys[-1]
+
+        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
+        # in a list of default objectclasses, add it manually
+        entry_attrs['objectclass'].append('ipakrbprincipal')
 
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
 
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 9d5d40453a4a741d1e9a23c6a8239972d2e39b86..86b1935f33f9fbe6354f7fbfc8b6bb1bdb7fe7b4 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -44,7 +44,6 @@ from .baseuser import (
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
-from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
@@ -533,8 +532,6 @@ class stageuser_activate(LDAPQuery):
         if 'krbprincipalname' not in entry_from:
             entry_to['krbprincipalname'] = '%s@%s' % (entry_from['uid'][0], api.env.realm)
 
-        set_krbcanonicalname(entry_to)
-
     def __dict_new_entry(self, *args, **options):
         ldap = self.obj.backend
 
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 7050de289760ede29d057e42658c2f68d8506249..134a08803f3abca1124c4d26274d9e3fc981b941 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,6 +100,7 @@ service = [
     u'ipaobject',
     u'ipaservice',
     u'pkiuser',
+    u'ipakrbprincipal',
     u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 4ddabefff14e61e8e2f33c0dbcb55f657330c438..e6fc68a15cb9e7176979148462c469d1a737b040 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -357,7 +357,6 @@ class TestHostWithService(XMLRPC_test):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     managedby_host=[host.fqdn],
                     ipauniqueid=[fuzzy_uuid],
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 3009521c3b2d9c496bff4e11b96838ce50a2eefa..0a38e3d653ed0b3083301b1ca9a5f252f9bbaa4b 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -193,7 +193,6 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -239,7 +238,7 @@ class test_service(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    krbcanonicalname=[service1],
+                    ipakrbprincipalalias=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -262,7 +261,6 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        krbcanonicalname=service1,
                         managedby_host=[fqdn1],
                         has_keytab=False,
                     ),
@@ -282,7 +280,6 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        krbcanonicalname=service1,
                         has_keytab=False,
                     ),
                 ],
@@ -301,7 +298,7 @@ class test_service(Declarative):
                     dict(
                         dn=service1dn,
                         krbprincipalname=[service1],
-                        krbcanonicalname=service1,
+                        ipakrbprincipalalias=[service1],
                         objectclass=objectclasses.service,
                         ipauniqueid=[fuzzy_uuid],
                         has_keytab=False,
@@ -716,7 +713,6 @@ class test_service_in_role(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
@@ -921,7 +917,6 @@ class test_service_allowed_to(Declarative):
                 result=dict(
                     dn=service1dn,
                     krbprincipalname=[service1],
-                    krbcanonicalname=[service1],
                     objectclass=objectclasses.service,
                     ipauniqueid=[fuzzy_uuid],
                     managedby_host=[fqdn1],
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 6d58c53aa6041f5c23bf7e337432e242fe010536..dbfdb4c083fafada48455c60ac0470443a1c9b90 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -976,7 +976,6 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
             mepmanagedentry=[get_group_dn(uid)],
             objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
             krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
-            krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)]
         )
     if operation in ('show', 'show-all', 'find', 'mod'):
         result.update(
diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py
index 21088f22c963f1f001d4b04ac5d945bff0c0228a..d54901fa5f8e5d38619161826a3b5887f563b828 100644
--- a/ipatests/test_xmlrpc/tracker/host_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/host_plugin.py
@@ -37,8 +37,7 @@ class HostTracker(Tracker):
         'ipaallowedtoperform_write_keys_hostgroup'}
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid',
-        u'krbcanonicalname', u'managing_host', u'objectclass',
-        u'serverhostname'}
+        u'managing_host', u'objectclass', u'serverhostname'}
     create_keys = retrieve_keys | {'objectclass', 'ipauniqueid',
                                    'randompassword'}
     update_keys = retrieve_keys - {'dn'}
@@ -99,7 +98,6 @@ class HostTracker(Tracker):
             description=[self.description],
             l=[self.location],
             krbprincipalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
-            krbcanonicalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
             objectclass=objectclasses.host,
             ipauniqueid=[fuzzy_uuid],
             managedby_host=[self.fqdn],
diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index c741e3eb44f7b3d175daef4b78cc10f616ef0188..73b33c62694f4482806c519f1f12615064b35d85 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -47,8 +47,7 @@ class StageUserTracker(Tracker):
         u'st', u'mobile', u'pager', }
     retrieve_all_keys = retrieve_keys | {
         u'cn', u'ipauniqueid', u'objectclass', u'description',
-        u'displayname', u'gecos', u'initials', u'krbcanonicalname',
-        u'krbprincipalname', u'manager'}
+        u'displayname', u'gecos', u'initials', u'krbprincipalname', u'manager'}
 
     create_keys = retrieve_all_keys | {
         u'objectclass', u'ipauniqueid', u'randompassword',
@@ -118,7 +117,6 @@ class StageUserTracker(Tracker):
             uidnumber=[u'-1'],
             gidnumber=[u'-1'],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
-            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
@@ -132,7 +130,6 @@ class StageUserTracker(Tracker):
                 self.attrs[key] = [u'%s@%s' % (
                     (self.kwargs[key].split('@'))[0].lower(),
                     (self.kwargs[key].split('@'))[1])]
-                self.attrs[u'krbcanonicalname'] = self.attrs[key]
             elif key == u'manager':
                 self.attrs[key] = [self.kwargs[key]]
             elif key == u'ipasshpubkey':
diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 3585e75859573fc03f346bc4ec32fe431d30942a..261ea69e1c713b61017cda7fb858340c070ab6e7 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -36,8 +36,8 @@ class UserTracker(Tracker):
         u'l', u'mobile', u'krbextradata', u'krblastpwdchange',
         u'krbpasswordexpiration', u'pager', u'st', u'manager', u'cn',
         u'ipauniqueid', u'objectclass', u'mepmanagedentry',
-        u'displayname', u'gecos', u'initials', u'krbcanonicalname',
-        'krbprincipalname', u'preserved'}
+        u'displayname', u'gecos', u'initials', u'krbprincipalname',
+        u'preserved'}
 
     retrieve_preserved_keys = (retrieve_keys - {u'memberof_group'}) | {
         u'preserved'}
@@ -146,7 +146,6 @@ class UserTracker(Tracker):
             uidnumber=[fuzzy_digits],
             gidnumber=[fuzzy_digits],
             krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
-            krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
             mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
             gecos=[u'%s %s' % (self.givenname, self.sn)],
             loginshell=[u'/bin/sh'],
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to