URL: https://github.com/freeipa/freeipa/pull/457
Author: martbab
 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/457/head:pr457
git checkout pr457
From fc839dbff0c74aaf94f42a3583225e69b81f474c Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 1/2] allow for more flexibility when requesting service keytab

The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.

The default actions should be usable by most installers without specific
overriding.

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/service.py | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fbe3f23..3480e96 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,6 +540,20 @@ def _add_service_principal(self):
         except errors.DuplicateEntry:
             pass
 
+    def _clean_previous_keytab(self):
+        self.fstore.backup_file(self.keytab)
+        try:
+            os.unlink(self.keytab)
+        except OSError:
+            pass
+
+    def _set_keytab_owner(self):
+        if self.service_user is None:
+            raise NotImplementedError("Service user name is not defined")
+
+        pent = pwd.getpwnam(self.service_user)
+        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+
     def _run_getkeytab(self):
         """
         backup and remove old service keytab (if present) and fetch a new one
@@ -550,12 +564,6 @@ def _run_getkeytab(self):
             * self.dm_password is not none, then DM credentials are used to
               fetch keytab
         """
-        self.fstore.backup_file(self.keytab)
-        try:
-            os.unlink(self.keytab)
-        except OSError:
-            pass
-
         ldap_uri = self.api.env.ldap_uri
         args = [paths.IPA_GETKEYTAB,
                 '-k', self.keytab,
@@ -574,17 +582,15 @@ def _run_getkeytab(self):
         ipautil.run(args, nolog=nolog)
 
     def _request_service_keytab(self):
-        if any(attr is None for attr in (self.principal, self.keytab,
-                                         self.service_user)):
+        if any(attr is None for attr in (self.principal, self.keytab)):
             raise NotImplementedError(
                 "service must have defined principal "
-                "name, keytab, and username")
+                "name and keytab")
 
         self._add_service_principal()
+        self._clean_previous_keytab()
         self._run_getkeytab()
-
-        pent = pwd.getpwnam(self.service_user)
-        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+        self._set_keytab_owner()
 
 
 class SimpleServiceInstance(Service):

From 5322384b23db1438f724d883fe7f36e2734190d4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 3 Feb 2017 17:16:59 +0100
Subject: [PATCH 2/2] use the methods of the parent class to retrieve CIFS
 kerberos keys

adtrustinstance will now use parent's methods to retrieve keys for CIFS
principal. Since the keys are appended to the host keytab
(/etc/krb5.keytab) we need to make sure that only the stale CIFS keys
are purged from the file and that we do not re-set its ownership.

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/adtrustinstance.py | 30 +++++++++++-------------------
 1 file changed, 11 insertions(+), 19 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index c866cdd..8efc951 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -530,27 +530,18 @@ def __setup_group_membership(self):
             api.Backend.ldap2, self.smb_dn, "member",
             [self.cifs_agent, self.host_princ])
 
-    def __setup_principal(self):
-        try:
-            api.Command.service_add(unicode(self.principal))
-        except errors.DuplicateEntry:
-            # CIFS principal already exists, it is not the first time
-            # adtrustinstance is managed
-            # That's fine, we we'll re-extract the key again.
-            pass
-        except Exception as e:
-            self.print_msg("Cannot add CIFS service: %s" % e)
-
+    def _clean_previous_keytab(self):
+        """
+        Purge old CIFS keys from samba and clean up samba ccache
+        """
         self.clean_samba_keytab()
         installutils.remove_ccache(paths.KRB5CC_SAMBA)
 
-        try:
-            ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
-                                          "--principal", self.principal,
-                                          "-k", self.keytab])
-        except ipautil.CalledProcessError:
-            root_logger.critical("Failed to add key for %s"
-                                 % self.principal)
+    def _set_keytab_owner(self):
+        """
+        Do not re-set ownership of samba keytab
+        """
+        pass
 
     def clean_samba_keytab(self):
         if os.path.exists(self.keytab):
@@ -818,7 +809,8 @@ def create_instance(self):
                   self.__create_samba_domain_object)
         self.step("creating samba config registry", self.__write_smb_registry)
         self.step("writing samba config file", self.__write_smb_conf)
-        self.step("adding cifs Kerberos principal", self.__setup_principal)
+        self.step("adding cifs Kerberos principal",
+                  self._request_service_keytab)
         self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
                   self.__setup_group_membership)
         self.step("check for cifs services defined on other replicas", self.__check_replica)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to