URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666
From ec8727e7bdd367005def508195e56809b4135f14 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 16:41:59 +0100 Subject: [PATCH 1/2] Always check and create anonymous principal during KDC install The anonymous principal will now be checked for presence and created on both server and replica install. This fixes errors caused during replica installation against older master that do not have anonymous principal present. https://pagure.io/freeipa/issue/6799 --- ipaserver/install/krbinstance.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 5f4b528..6c105f7 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -33,7 +33,7 @@ from ipapython import ipaldap from ipapython import ipautil from ipapython import kernel_keyring -from ipalib import api +from ipalib import api, errors from ipalib.constants import ANON_USER from ipalib.install import certmonger from ipapython.ipa_log_manager import root_logger @@ -142,6 +142,7 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): pass def __common_post_setup(self): + self.step("creating anonymous principal", self.add_anonymous_principal) self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) @@ -160,7 +161,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - self.step("creating anonymous principal", self.add_anonymous_principal) self.__common_post_setup() @@ -432,8 +432,17 @@ def get_anonymous_principal_name(self): def add_anonymous_principal(self): # Create the special anonymous principal princ_realm = self.get_anonymous_principal_name() - installutils.kadmin_addprinc(princ_realm) - self._ldap_mod("anon-princ-aci.ldif", self.sub_dict) + dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix()) + try: + self.api.Backend.ldap2.get_entry(dn) + except errors.NotFound: + installutils.kadmin_addprinc(princ_realm) + self._ldap_mod("anon-princ-aci.ldif", self.sub_dict) + + try: + self.api.Backend.ldap2.set_entry_active(dn, True) + except errors.AlreadyActive: + pass def __convert_to_gssapi_replication(self): repl = replication.ReplicationManager(self.realm, From 26bb2d6bbd681d2ec0fbd78645334351aa55a7e7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 16:52:14 +0100 Subject: [PATCH 2/2] Remove duplicate functionality in upgrade Since krbinstance code can now handle all operations of the `enabled_anonymous_principal` function from upgrade we can remove extraneous function altogether. https://pagure.io/freeipa/issue/6799 --- ipaserver/install/server/upgrade.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0db764c..25b8629 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1482,20 +1482,6 @@ def add_default_caacl(ca): sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) -def enable_anonymous_principal(krb): - princ_realm = krb.get_anonymous_principal_name() - dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix()) - try: - _ = api.Backend.ldap2.get_entry(dn) # pylint: disable=unused-variable - except ipalib.errors.NotFound: - krb.add_anonymous_principal() - - try: - api.Backend.ldap2.set_entry_active(dn, True) - except ipalib.errors.AlreadyActive: - pass - - def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") @@ -1809,7 +1795,7 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) - enable_anonymous_principal(krb) + krb.add_anonymous_principal() http.request_anon_keytab() setup_pkinit(krb)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code