URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: opened
PR body: """ FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629
From b61aa797379709dca6c08b7f9be45fcc1aa102eb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 20 Mar 2017 13:23:44 +0200 Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent with the configuration FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 --- ipaserver/install/adtrustinstance.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0b18985..1851cc4 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -689,6 +689,15 @@ def __enable_compat_tree(self): except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) + def __validate_server_hostname(self): + hostname = socket.gethostname() + if hostname != self.fqdn: + raise ValueError("Host reports different name than configured: "\ + "'%s' versus '%s'. Samba requires to have "\ + "the same hostname or Kerberos principal "\ + "'cifs/%s' will not be found in Samba keytab." % \ + (hostname, self.fqdn, self.fqdn)) + def __start(self): try: self.start() @@ -809,6 +818,8 @@ def create_instance(self): self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) + self.step("validate server hostname", + self.__validate_server_hostname) self.step("adding cifs Kerberos principal", self.request_service_keytab) self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code