URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326
From 74fcf5c3d5520146a5b35d7c3ced2454c9a6e7e5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 12 Dec 2016 10:30:51 +0200 Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 --- install/share/smb.conf.template | 2 +- ipaserver/install/server/upgrade.py | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 2908b99..17bde5d 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab -dedicated keytab file = FILE:/etc/samba/samba.keytab +dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2454507..9fbce88 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -47,6 +47,7 @@ from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance from ipaserver.install import dogtaginstance +from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -267,6 +268,26 @@ def cleanup_adtrust(fstore): root_logger.debug('Removing %s from backup', backed_up_file) +def upgrade_adtrust_config(): + """ + Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix + """ + + if not adtrustinstance.ipa_smb_conf_exists(): + return + + root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") + + args = [paths.NET, "conf", "setparm", "global", + "dedicated keytab file", paths.SAMBA_KEYTAB] + + try: + ipautil.run(args) + except ipautil.CalledProcessError as e: + root_logger.warning("Error updating Samba registry: %s", e) + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1653,6 +1674,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) + upgrade_adtrust_config() bind = bindinstance.BindInstance(fstore) if bind.is_configured() and not bind.is_running():
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code