[Freeipa-devel] [PATCH] 0192 oddjob: avoid chown keytab to sssd if sssd user does not exist

[Alexander Bokovoy]

Hi,

a simple optimisation to allow FreeIPA 4.2 to work with SSSD 1.13
running as root instead of sssd user. Details in the commit message.

This also fixes a simple exception in current Fedora 22 +
mkosek/freeipa-4.2 repo because user 'sssd' does not exist.

Fixes ticket  https://fedorahosted.org/freeipa/ticket/5136

--
/ Alexander Bokovoy
From 5b341446a070f5d41e8363bf3e1d02c222dcc683 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 16 Jul 2015 14:11:26 +0300
Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not
 exist

If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136
---
 install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains 
b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 85e3cc9..e50c81e 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, 
oneway_principal):
 env={'KRB5CCNAME': ccache_name, 
'LANG': 'C'},
 raiseonerr=False)
 # Make sure SSSD is able to read the keytab
-sssd = pwd.getpwnam('sssd')
-os.chown(oneway_keytab_name, sssd[2], sssd[3])
+try:
+sssd = pwd.getpwnam('sssd')
+os.chown(oneway_keytab_name, sssd[2], sssd[3])
+except KeyError as e:
+# If user 'sssd' does not exist, we don't need to chown from root to 
sssd
+# because it means SSSD does not run as sssd user
+pass
 
 
 def parse_options():
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0192 oddjob: avoid chown keytab to sssd if sssd user does not exist

[Tomas Babej]

On 07/16/2015 01:19 PM, Alexander Bokovoy wrote:
 Hi,
 
 a simple optimisation to allow FreeIPA 4.2 to work with SSSD 1.13
 running as root instead of sssd user. Details in the commit message.
 
 This also fixes a simple exception in current Fedora 22 +
 mkosek/freeipa-4.2 repo because user 'sssd' does not exist.
 
 Fixes ticket  https://fedorahosted.org/freeipa/ticket/5136
 
 
 

ACK!

Pushed to:
master: c6a1bd591e81cd82c0715c01bcc82f2947adf3bb
ipa-4-2: d7f91dce493efc4e505ea758b073040716249561

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code