Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Hi, Dne 13.11.2014 v 14:50 Martin Basti napsal(a): On 13/11/14 13:59, Jan Cholasta wrote: Dne 12.11.2014 v 13:33 Martin Basti napsal(a): On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) OK. But please rename the method to something more suitable (fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment. Also please change the ticket link to https://fedorahosted.org/freeipa/ticket/4716 (cloned from BZ). The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Could you do the update without the code duplication? In similar code an appropriate *instance method is usually called. The uid/gid resolution in ipa-upgradeconfig still looks like duplicated code to me. I would suggest doing something along these lines in ipa-upgradeconfig: dnskeysync = dnskeysyncinstance.DNSKeySyncInstance() dnskeysync.set_dyndb_ldap_workdir_permissions() and have DNSKeySyncInstance.set_dyndb_ldap_workdir_permissions() do all the real work. Martin^2 Honza Honza Thanks. updated patch attached. Martin^2 Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
On 18/11/14 15:01, Jan Cholasta wrote: Hi, Dne 13.11.2014 v 14:50 Martin Basti napsal(a): On 13/11/14 13:59, Jan Cholasta wrote: Dne 12.11.2014 v 13:33 Martin Basti napsal(a): On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) OK. But please rename the method to something more suitable (fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment. Also please change the ticket link to https://fedorahosted.org/freeipa/ticket/4716 (cloned from BZ). The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Could you do the update without the code duplication? In similar code an appropriate *instance method is usually called. The uid/gid resolution in ipa-upgradeconfig still looks like duplicated code to me. I would suggest doing something along these lines in ipa-upgradeconfig: dnskeysync = dnskeysyncinstance.DNSKeySyncInstance() dnskeysync.set_dyndb_ldap_workdir_permissions() and have DNSKeySyncInstance.set_dyndb_ldap_workdir_permissions() do all the real work. Updated patch attached. Martin^2 Martin^2 Honza Honza Thanks. updated patch attached. Martin^2 Honza -- Martin Basti From 59b6e540f03898ffc93621a3eab74b7e07974728 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 11 Nov 2014 13:00:18 +0100 Subject: [PATCH] Fix named working directory permissions Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 --- freeipa.spec.in | 3 +-- install/tools/ipa-upgradeconfig | 14 + ipaplatform/base/paths.py | 1 + ipaserver/install/dnskeysyncinstance.py | 36 +++-- 4 files changed, 46 insertions(+), 8 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter @@ -660,7 +659,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -774,6 +772,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %{_localstatedir}/named/dyndb-ldap/ipa %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 6556d8f313d3a9efeb32d4cba97cb82796459652..b0b574476ffc5ce6f075cf46177cc059483551ab 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ import shutil import pwd import fileinput import ConfigParser +import grp from ipalib import api import SSSDConfig @@ -1161,6 +1162,18 @@ def mask_named_regular(): return False +def fix_dyndb_ldap_workdir_permissions(): +Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it +if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'): +return + +if bindinstance.named_conf_exists(): +root_logger.info('[Fix bind-dyndb-ldap IPA working
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Dne 18.11.2014 v 16:53 Martin Basti napsal(a): On 18/11/14 15:01, Jan Cholasta wrote: Hi, Dne 13.11.2014 v 14:50 Martin Basti napsal(a): On 13/11/14 13:59, Jan Cholasta wrote: Dne 12.11.2014 v 13:33 Martin Basti napsal(a): On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) OK. But please rename the method to something more suitable (fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment. Also please change the ticket link to https://fedorahosted.org/freeipa/ticket/4716 (cloned from BZ). The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Could you do the update without the code duplication? In similar code an appropriate *instance method is usually called. The uid/gid resolution in ipa-upgradeconfig still looks like duplicated code to me. I would suggest doing something along these lines in ipa-upgradeconfig: dnskeysync = dnskeysyncinstance.DNSKeySyncInstance() dnskeysync.set_dyndb_ldap_workdir_permissions() and have DNSKeySyncInstance.set_dyndb_ldap_workdir_permissions() do all the real work. Updated patch attached. Martin^2 Thanks, ACK. Pushed to: master: 7c176b708eb855ea8774ad36ba72fd31952a8895 ipa-4-1: ba124045b9f39f8264a974c977beba6f15b1b1fb -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Dne 12.11.2014 v 13:33 Martin Basti napsal(a): On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) OK. But please rename the method to something more suitable (fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment. Also please change the ticket link to https://fedorahosted.org/freeipa/ticket/4716 (cloned from BZ). The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Could you do the update without the code duplication? In similar code an appropriate *instance method is usually called. Martin^2 Honza Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
On 13/11/14 13:59, Jan Cholasta wrote: Dne 12.11.2014 v 13:33 Martin Basti napsal(a): On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) OK. But please rename the method to something more suitable (fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment. Also please change the ticket link to https://fedorahosted.org/freeipa/ticket/4716 (cloned from BZ). The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Could you do the update without the code duplication? In similar code an appropriate *instance method is usually called. Martin^2 Honza Honza Thanks. updated patch attached. Martin^2 -- Martin Basti From b0fdc2d3e2feddcabb46bbef3fd1e9c519835164 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 11 Nov 2014 13:00:18 +0100 Subject: [PATCH] Fix named working directory permissions Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 --- freeipa.spec.in | 3 +-- install/tools/ipa-upgradeconfig | 26 ++ ipaplatform/base/paths.py | 1 + ipaserver/install/dnskeysyncinstance.py | 18 ++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter @@ -660,7 +659,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -774,6 +772,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %{_localstatedir}/named/dyndb-ldap/ipa %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 6556d8f313d3a9efeb32d4cba97cb82796459652..7655451becc8d49ef361a5e14c1aea8aaf18f696 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ import shutil import pwd import fileinput import ConfigParser +import grp from ipalib import api import SSSDConfig @@ -1161,6 +1162,30 @@ def mask_named_regular(): return False +def fix_dyndb_ldap_workdir_permissions(): +Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it +if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'): +return + +if bindinstance.named_conf_exists(): +root_logger.info('[Fix bind-dyndb-ldap IPA working directory]') +named = services.knownservices.named + +try: +named_uid = pwd.getpwnam(named.get_user_name()).pw_uid +except KeyError: +raise RuntimeError(Named UID not found) + +try: +named_gid = grp.getgrnam(named.get_group_name()).gr_gid +except KeyError: +raise RuntimeError(Named GID not found) + +dnskeysyncinstance.set_dyndb_ldap_workdir_permissions(named_uid, +
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
On 11/11/14 16:58, Jan Cholasta wrote: Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? Because, dnskeysyncinstance is the daemon which requires permission change. (dir is created by dyndb-ldap plugin) The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Cases: 1) fresh RPM install, no named user during RPM install - named doesn't start, user had to fix it immediately, can't wait until next release. 2) fresh RPM install, named user - no impact 3) upgrade IPA with DNS - no impact 4) upgrade IPA without DNS - after DNS installation, same as 1) 5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not work (If user doesnt use DNSSEC) Only 5) looks serious for me, so here is updated patch. Martin^2 Honza -- Martin Basti From 6412d1bd6d5a21941c50f56996b81b04c6d86cb0 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 11 Nov 2014 13:00:18 +0100 Subject: [PATCH] Fix named working directory permissions Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:6 --- freeipa.spec.in | 3 +-- install/tools/ipa-upgradeconfig | 29 + ipaplatform/base/paths.py | 1 + ipaserver/install/dnskeysyncinstance.py | 21 + 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter @@ -660,7 +659,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -774,6 +772,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %{_localstatedir}/named/dyndb-ldap/ipa %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 6556d8f313d3a9efeb32d4cba97cb82796459652..aa9fcd1e0802911c0f1f389afc99a83fc8052493 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ import shutil import pwd import fileinput import ConfigParser +import grp from ipalib import api import SSSDConfig @@ -1161,6 +1162,33 @@ def mask_named_regular(): return False +def fix_dyndb_ldap_ipa_workdir_perm(): +Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it +if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'): +return + +if bindinstance.named_conf_exists(): +root_logger.info('[Fix bind-dyndb-ldap IPA working directory]') +named = services.knownservices.named + +try: +named_uid = pwd.getpwnam(named.get_user_name()).pw_uid +except KeyError: +raise RuntimeError(Named UID not found) + +try: +named_gid = grp.getgrnam(named.get_group_name()).gr_gid +except KeyError: +raise RuntimeError(Named GID not found) + +if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): +os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) + +os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) +os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, named_uid, named_gid) + +sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True) + def fix_schema_file_syntax(): Fix syntax errors in schema files @@ -1433,6 +1461,7 @@ def main(): named_managed_keys_dir_option(), named_root_key_include(),
[Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached -- Martin Basti From 44593f97c51cc683218ac4ed81f821ee751ee6c5 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 11 Nov 2014 13:00:18 +0100 Subject: [PATCH] Fix named working directory permissions Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:6 --- freeipa.spec.in | 3 +-- ipaplatform/base/paths.py | 1 + ipaserver/install/dnskeysyncinstance.py | 21 + 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter @@ -660,7 +659,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -774,6 +772,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %{_localstatedir}/named/dyndb-ldap/ipa %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index af502628e493ad7b4d8d30ed1acb98bba8cb39e4..e4970e9b684b06ad98d56605d6d0419cb9e39cb2 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -189,6 +189,7 @@ class BasePathNamespace(object): BIN_WGET = /usr/bin/wget ZIP = /usr/bin/zip BIND_LDAP_SO = /usr/lib/bind/ldap.so +BIND_LDAP_DNS_IPA_WORKDIR = /var/named/dyndb-ldap/ipa/ BIND_LDAP_DNS_ZONE_WORKDIR = /var/named/dyndb-ldap/ipa/master/ USR_LIB_DIRSRV = /usr/lib/dirsrv USR_LIB_SLAPD_INSTANCE_TEMPLATE = /usr/lib/dirsrv/slapd-%s diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..f3d225fc114c1a8ffed1637a90448122b862b745 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -119,6 +119,8 @@ class DNSKeySyncInstance(service.Service): self.ldap_connect() # checking status step must be first self.step(checking status, self.__check_dnssec_status) +self.step(setting up bind-dyndb-ldap working directory, + self.__setup_dyndb_ldap_workdir) self.step(setting up kerberos principal, self.__setup_principal) self.step(setting up SoftHSM, self.__setup_softhsm) self.step(adding DNSSEC containers, self.__setup_dnssec_containers) @@ -171,6 +173,25 @@ class DNSKeySyncInstance(service.Service): self._ldap_mod(dnssec.ldif, {'SUFFIX': self.suffix, }) +def __setup_dyndb_ldap_workdir(self): +named = services.knownservices.named + +try: +named_uid = pwd.getpwnam(named.get_user_name()).pw_uid +except KeyError: +raise RuntimeError(Named UID not found) + +try: +named_gid = grp.getgrnam(named.get_group_name()).gr_gid +except KeyError: +raise RuntimeError(Named GID not found) + +if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): +os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) +# dnssec daemons require to have access into the directory +os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) +os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, named_uid, named_gid) + def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel