URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: opened
PR body: """ In order to be able to function as a part of composite installer, samba configuration code must be able to work without admin credentials. This requires changes in the CIFS principal key retrieval method so that it is not bound to the presence of privileged user ccache. This is achieved by slightly altering and re-using the recently developed code for service keytab retrieval. https://fedorahosted.org/freeipa/ticket/6638 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457
From fc839dbff0c74aaf94f42a3583225e69b81f474c Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 3 Feb 2017 17:14:20 +0100 Subject: [PATCH 1/2] allow for more flexibility when requesting service keytab The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/service.py | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index fbe3f23..3480e96 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -540,6 +540,20 @@ def _add_service_principal(self): except errors.DuplicateEntry: pass + def _clean_previous_keytab(self): + self.fstore.backup_file(self.keytab) + try: + os.unlink(self.keytab) + except OSError: + pass + + def _set_keytab_owner(self): + if self.service_user is None: + raise NotImplementedError("Service user name is not defined") + + pent = pwd.getpwnam(self.service_user) + os.chown(self.keytab, pent.pw_uid, pent.pw_gid) + def _run_getkeytab(self): """ backup and remove old service keytab (if present) and fetch a new one @@ -550,12 +564,6 @@ def _run_getkeytab(self): * self.dm_password is not none, then DM credentials are used to fetch keytab """ - self.fstore.backup_file(self.keytab) - try: - os.unlink(self.keytab) - except OSError: - pass - ldap_uri = self.api.env.ldap_uri args = [paths.IPA_GETKEYTAB, '-k', self.keytab, @@ -574,17 +582,15 @@ def _run_getkeytab(self): ipautil.run(args, nolog=nolog) def _request_service_keytab(self): - if any(attr is None for attr in (self.principal, self.keytab, - self.service_user)): + if any(attr is None for attr in (self.principal, self.keytab)): raise NotImplementedError( "service must have defined principal " - "name, keytab, and username") + "name and keytab") self._add_service_principal() + self._clean_previous_keytab() self._run_getkeytab() - - pent = pwd.getpwnam(self.service_user) - os.chown(self.keytab, pent.pw_uid, pent.pw_gid) + self._set_keytab_owner() class SimpleServiceInstance(Service): From 5422ffa7c0fe6fc26f821ac041be307a4bf6e0d8 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 3 Feb 2017 17:16:59 +0100 Subject: [PATCH 2/2] use the methods of the parent class to retrieve CIFS kerberos keys adtrustinstance will now use parent's methods to retrieve keys for CIFS principal. Since the keys are appended to the host keytab (/etc/krb5.keytab) we need to make sure that only the stale CIFS keys are purged from the file and that we do not re-set its ownership. https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/adtrustinstance.py | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index c866cdd..321bbcc 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -530,27 +530,18 @@ def __setup_group_membership(self): api.Backend.ldap2, self.smb_dn, "member", [self.cifs_agent, self.host_princ]) - def __setup_principal(self): - try: - api.Command.service_add(unicode(self.principal)) - except errors.DuplicateEntry: - # CIFS principal already exists, it is not the first time - # adtrustinstance is managed - # That's fine, we we'll re-extract the key again. - pass - except Exception as e: - self.print_msg("Cannot add CIFS service: %s" % e) - + def _clean_previous_keytab(self): + """ + Purge old CIFS keys from /etc/krb5.keytab and clean up samba ccache + """ self.clean_samba_keytab() installutils.remove_ccache(paths.KRB5CC_SAMBA) - try: - ipautil.run(["ipa-getkeytab", "--server", self.fqdn, - "--principal", self.principal, - "-k", self.keytab]) - except ipautil.CalledProcessError: - root_logger.critical("Failed to add key for %s" - % self.principal) + def _set_keytab_owner(self): + """ + Do not re-set ownership of /etc/krb5.keytab + """ + pass def clean_samba_keytab(self): if os.path.exists(self.keytab): @@ -818,7 +809,8 @@ def create_instance(self): self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) - self.step("adding cifs Kerberos principal", self.__setup_principal) + self.step("adding cifs Kerberos principal", + self._request_service_keytab) self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ self.__setup_group_membership) self.step("check for cifs services defined on other replicas", self.__check_replica)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
