URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 93c1e574ed44d3195aa1402eece5b8391fd6d93d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the

    net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
 install/share/smb.conf.template     |  2 +-
 ipaserver/install/server/upgrade.py | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
 netbios name = $HOST_NETBIOS_NAME
 realm = $REALM
 kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2454507..4ade2f9 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
+from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
@@ -267,6 +268,26 @@ def cleanup_adtrust(fstore):
             root_logger.debug('Removing %s from backup', backed_up_file)
+def upgrade_adtrust_config():
+    """
+    Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+    """
+    if not adtrustinstance.ipa_smb_conf_exists():
+        return
+    root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+                     "in Samba configuration]")
+    args = [paths.NET, "conf", "setparm", "global",
+            "dedicated keytab file", paths.SAMBA_KEYTAB]
+    try:
+        ipautil.run(args)
+    except ipautil.CalledProcessError as e:
+        root_logger.warning("Error updating Samba registry: %s", e)
 def ca_configure_profiles_acl(ca):
     root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1653,6 +1674,7 @@ def upgrade_configuration():
+    upgrade_atrust_config()
     bind = bindinstance.BindInstance(fstore)
     if bind.is_configured() and not bind.is_running():
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to