URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in
smb.conf
Action: opened
PR body:
"""
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 04aba48840c95a95e48fc397545b3e7d67516575 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in
smb.conf
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
---
install/share/smb.conf.template | 2 +-
ipaserver/install/server/upgrade.py | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2454507..77a1f11 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@
from ipaserver.install import dnskeysyncinstance
from ipaserver.install import krainstance
from ipaserver.install import dogtaginstance
+from ipaserver.install import adtrustinstance
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax
@@ -266,6 +267,24 @@ def cleanup_adtrust(fstore):
fstore.untrack_file(backed_up_file)
root_logger.debug('Removing %s from backup', backed_up_file)
+def upgrade_adtrust_config():
+ """
+ Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+ """
+
+ if not adtrustinstance.ipa_smb_conf_exists():
+ return
+
+ root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+ "in Samba configuration]")
+
+ args = [paths.NET, "conf", "setparm", "global",
+ "dedicated keytab file", paths.SAMBA_KEYTAB]
+
+ try:
+ ipautil.run(args)
+ except ipautil.CalledProcessError as e:
+ root_logger.warning("Error updating Samba registry: %s", e)
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1653,6 +1672,7 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
+ upgrade_atrust_config()
bind = bindinstance.BindInstance(fstore)
if bind.is_configured() and not bind.is_running():
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
