Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Christian Heimes]

On 2015-09-23 12:40, Jan Cholasta wrote:
> On 23.9.2015 11:44, Christian Heimes wrote:
>> On 2015-09-23 10:54, Jan Cholasta wrote:
 Correction, the HTTP server works, but it spits lots of errors in
 error_log about /var/lib/kdcproxy not existing.

 Is the KDCProxy supposed to be installked/enabled on upgrade ?
 If not, why not ?
 Even if it is not enabled, shouldn't the user be created just in case ?
>>>
>>> Fixed, patch attached.
>>
>> I haven't tested the patch yet. It looks like the kdcproxy user doesn't
>> own its home directory. Please chown /var/lib/kdcproxy.
> 
> I can't chown it because the user may not exist at RPM install time. It
> doesn't matter anyway, since nothing is ever stored in the directory and
> KDC proxy works just fine. The same thing is done for the DS user and
> nobody complained so far, so I assumed it should be OK for KDC proxy as
> well.

I think we have a slight misunderstanding here. :) Of course you can't
set the owner at RPM install time. I wasn't talking about chown-ing the
directory in RPM, but chown-ing the directory after or inside the
tasks.create_system_user() call. Sorry for the confusion!

AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
directory. It's not guaranteed for eternity, though.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Jan Cholasta]

On 23.9.2015 11:44, Christian Heimes wrote:

On 2015-09-23 10:54, Jan Cholasta wrote:

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?


Fixed, patch attached.


I haven't tested the patch yet. It looks like the kdcproxy user doesn't
own its home directory. Please chown /var/lib/kdcproxy.


I can't chown it because the user may not exist at RPM install time. It 
doesn't matter anyway, since nothing is ever stored in the directory and 
KDC proxy works just fine. The same thing is done for the DS user and 
nobody complained so far, so I assumed it should be OK for KDC proxy as 
well.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Jan Cholasta]

On 23.9.2015 12:49, Christian Heimes wrote:

On 2015-09-23 12:40, Jan Cholasta wrote:

On 23.9.2015 11:44, Christian Heimes wrote:

On 2015-09-23 10:54, Jan Cholasta wrote:

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?


Fixed, patch attached.


I haven't tested the patch yet. It looks like the kdcproxy user doesn't
own its home directory. Please chown /var/lib/kdcproxy.


I can't chown it because the user may not exist at RPM install time. It
doesn't matter anyway, since nothing is ever stored in the directory and
KDC proxy works just fine. The same thing is done for the DS user and
nobody complained so far, so I assumed it should be OK for KDC proxy as
well.


I think we have a slight misunderstanding here. :) Of course you can't
set the owner at RPM install time. I wasn't talking about chown-ing the
directory in RPM, but chown-ing the directory after or inside the
tasks.create_system_user() call. Sorry for the confusion!

AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
directory. It's not guaranteed for eternity, though.


OK. Updated patch attached. Added patch 496, please apply before 495.

--
Jan Cholasta
From 2877e9a98423fd4b66834f2c71dd47c32a6d4f45 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 23 Sep 2015 13:09:44 +0200
Subject: [PATCH 1/2] platform: add option to create home directory when adding
 user

https://fedorahosted.org/freeipa/ticket/5314
---
 ipaplatform/base/tasks.py   | 8 ++--
 ipaplatform/redhat/tasks.py | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 6571514..573287c 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -184,7 +184,7 @@ class BaseTaskNamespace(object):
 
 return
 
-def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
 """Create a system user with a corresponding group"""
 try:
 grp.getgrnam(group)
@@ -211,12 +211,16 @@ class BaseTaskNamespace(object):
 '-g', group,
 '-d', homedir,
 '-s', shell,
-'-M', '-r', name,
+'-r', name,
 ]
 if uid:
 args += ['-u', str(uid)]
 if comment:
 args += ['-c', comment]
+if create_homedir:
+args += ['-m']
+else:
+args += ['-M']
 try:
 ipautil.run(args)
 log.debug('Done adding user')
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 3b522b0..dd614c9 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -400,7 +400,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
 return True
 
-def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
 """
 Create a system user with a corresponding group
 
@@ -421,7 +421,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 comment = 'DS System User'
 
 super(RedHatTaskNamespace, self).create_system_user(name, group,
-homedir, shell, uid, gid, comment)
+homedir, shell, uid, gid, comment, create_homedir)
 
 
 tasks = RedHatTaskNamespace()
-- 
2.4.3

From e87cb5acc9556ab7ead897c8d112da576be848ed Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 23 Sep 2015 10:35:06 +0200
Subject: [PATCH 2/2] install: fix kdcproxy user home directory

https://fedorahosted.org/freeipa/ticket/5314
---
 freeipa.spec.in   | 2 +-
 ipaplatform/base/paths.py | 1 +
 ipaserver/install/httpinstance.py | 4 +++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7a199a5..36179c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -482,7 +482,6 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
-mkdir -p %{buildroot}%{kdcproxy_home}
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 
@@ -714,6 +713,7 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%ghost %verify(not owner group) %dir 

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Simo Sorce]

On Wed, 2015-09-23 at 13:37 +0200, Jan Cholasta wrote:
> On 23.9.2015 12:49, Christian Heimes wrote:
> > On 2015-09-23 12:40, Jan Cholasta wrote:
> >> On 23.9.2015 11:44, Christian Heimes wrote:
> >>> On 2015-09-23 10:54, Jan Cholasta wrote:
> > Correction, the HTTP server works, but it spits lots of errors in
> > error_log about /var/lib/kdcproxy not existing.
> >
> > Is the KDCProxy supposed to be installked/enabled on upgrade ?
> > If not, why not ?
> > Even if it is not enabled, shouldn't the user be created just in case ?
> 
>  Fixed, patch attached.
> >>>
> >>> I haven't tested the patch yet. It looks like the kdcproxy user doesn't
> >>> own its home directory. Please chown /var/lib/kdcproxy.
> >>
> >> I can't chown it because the user may not exist at RPM install time. It
> >> doesn't matter anyway, since nothing is ever stored in the directory and
> >> KDC proxy works just fine. The same thing is done for the DS user and
> >> nobody complained so far, so I assumed it should be OK for KDC proxy as
> >> well.
> >
> > I think we have a slight misunderstanding here. :) Of course you can't
> > set the owner at RPM install time. I wasn't talking about chown-ing the
> > directory in RPM, but chown-ing the directory after or inside the
> > tasks.create_system_user() call. Sorry for the confusion!
> >
> > AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
> > directory. It's not guaranteed for eternity, though.
> 
> OK. Updated patch attached. Added patch 496, please apply before 495.

We have 2 options:
1. Home is created and chowned at user creation time
2. Home is owned by RPM packages.

The option we do *not* have is to have RPM own the directory and then
chown it later.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Martin Babinsky]

On 09/23/2015 01:37 PM, Jan Cholasta wrote:

On 23.9.2015 12:49, Christian Heimes wrote:

On 2015-09-23 12:40, Jan Cholasta wrote:

On 23.9.2015 11:44, Christian Heimes wrote:

On 2015-09-23 10:54, Jan Cholasta wrote:

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in
case ?


Fixed, patch attached.


I haven't tested the patch yet. It looks like the kdcproxy user doesn't
own its home directory. Please chown /var/lib/kdcproxy.


I can't chown it because the user may not exist at RPM install time. It
doesn't matter anyway, since nothing is ever stored in the directory and
KDC proxy works just fine. The same thing is done for the DS user and
nobody complained so far, so I assumed it should be OK for KDC proxy as
well.


I think we have a slight misunderstanding here. :) Of course you can't
set the owner at RPM install time. I wasn't talking about chown-ing the
directory in RPM, but chown-ing the directory after or inside the
tasks.create_system_user() call. Sorry for the confusion!

AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
directory. It's not guaranteed for eternity, though.


OK. Updated patch attached. Added patch 496, please apply before 495.




ACK to both patches.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Jan Cholasta]

On 23.9.2015 16:25, Martin Babinsky wrote:

On 09/23/2015 01:37 PM, Jan Cholasta wrote:

On 23.9.2015 12:49, Christian Heimes wrote:

On 2015-09-23 12:40, Jan Cholasta wrote:

On 23.9.2015 11:44, Christian Heimes wrote:

On 2015-09-23 10:54, Jan Cholasta wrote:

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in
case ?


Fixed, patch attached.


I haven't tested the patch yet. It looks like the kdcproxy user
doesn't
own its home directory. Please chown /var/lib/kdcproxy.


I can't chown it because the user may not exist at RPM install time. It
doesn't matter anyway, since nothing is ever stored in the directory
and
KDC proxy works just fine. The same thing is done for the DS user and
nobody complained so far, so I assumed it should be OK for KDC proxy as
well.


I think we have a slight misunderstanding here. :) Of course you can't
set the owner at RPM install time. I wasn't talking about chown-ing the
directory in RPM, but chown-ing the directory after or inside the
tasks.create_system_user() call. Sorry for the confusion!

AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home
directory. It's not guaranteed for eternity, though.


OK. Updated patch attached. Added patch 496, please apply before 495.




ACK to both patches.



Thanks.

Pushed to:
master: 4c39561261e79fe1cfdef916eafbcb9c204e77e8
ipa-4-2: 091b119580f7bbd534e7643e09fd33a85d8c010b

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Jan Cholasta]

On 23.9.2015 02:22, Simo Sorce wrote:

On Tue, 2015-09-22 at 20:09 -0400, Simo Sorce wrote:

On Tue, 2015-09-22 at 16:35 +0200, Jan Cholasta wrote:

On 22.9.2015 15:11, Martin Babinsky wrote:

On 09/22/2015 01:33 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK



Thanks.

Pushed to:
master: 0de860318332114ca739a8dd45902f7cc9a3c722
ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591


This patch is somehow broken.

I see that %{kdcproxy_home} has been removed from the spec file but not
from everywhere, and it is simply undefined.

On upgrade of my server I have no kdcproxy user and http fails to
operate complaining that /var/lib/kdcproxy does not exist.


Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?


Fixed, patch attached.

--
Jan Cholasta
From 45bc745849aade6e9f0495479e9df5d32d43274b Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 23 Sep 2015 10:35:06 +0200
Subject: [PATCH] install: fix kdcproxy user home directory

https://fedorahosted.org/freeipa/ticket/5314
---
 freeipa.spec.in   | 3 ++-
 ipaplatform/base/paths.py | 1 +
 ipaserver/install/httpinstance.py | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7a199a5..782eefc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -482,7 +482,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
-mkdir -p %{buildroot}%{kdcproxy_home}
+mkdir -p %{buildroot}%{_sharedstatedir}/kdcproxy
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 
@@ -714,6 +714,7 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 97c330c..215caf9 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -286,6 +286,7 @@ class BasePathNamespace(object):
 REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
 SYSRESTORE = "/var/lib/ipa/sysrestore"
 STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
+VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
 VAR_LIB_PKI_DIR = "/var/lib/pki"
 VAR_LIB_PKI_CA_DIR = "/var/lib/pki-ca"
 PKI_ALIAS_CA_P12 = "/var/lib/pki-ca/alias/ca.p12"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7358511..ab84780 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -85,8 +85,9 @@ def create_kdcproxy_user():
 tasks.create_system_user(
 name=KDCPROXY_USER,
 group=KDCPROXY_USER,
-homedir=paths.VAR_LIB,
+homedir=paths.VAR_LIB_KDCPROXY,
 shell=paths.NOLOGIN,
+comment="IPA KDC Proxy User",
 )
 
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Christian Heimes]

On 2015-09-23 10:54, Jan Cholasta wrote:
>> Correction, the HTTP server works, but it spits lots of errors in
>> error_log about /var/lib/kdcproxy not existing.
>>
>> Is the KDCProxy supposed to be installked/enabled on upgrade ?
>> If not, why not ?
>> Even if it is not enabled, shouldn't the user be created just in case ?
> 
> Fixed, patch attached.

I haven't tested the patch yet. It looks like the kdcproxy user doesn't
own its home directory. Please chown /var/lib/kdcproxy.

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Simo Sorce]

On Tue, 2015-09-22 at 16:35 +0200, Jan Cholasta wrote:
> On 22.9.2015 15:11, Martin Babinsky wrote:
> > On 09/22/2015 01:33 PM, Jan Cholasta wrote:
> >> Hi,
> >>
> >> the attached patch fixes .
> >>
> >> Honza
> >>
> >>
> >>
> > ACK
> >
> 
> Thanks.
> 
> Pushed to:
> master: 0de860318332114ca739a8dd45902f7cc9a3c722
> ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591

This patch is somehow broken.

I see that %{kdcproxy_home} has been removed from the spec file but not
from everywhere, and it is simply undefined.

On upgrade of my server I have no kdcproxy user and http fails to
operate complaining that /var/lib/kdcproxy does not exist.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Simo Sorce]

On Tue, 2015-09-22 at 20:09 -0400, Simo Sorce wrote:
> On Tue, 2015-09-22 at 16:35 +0200, Jan Cholasta wrote:
> > On 22.9.2015 15:11, Martin Babinsky wrote:
> > > On 09/22/2015 01:33 PM, Jan Cholasta wrote:
> > >> Hi,
> > >>
> > >> the attached patch fixes .
> > >>
> > >> Honza
> > >>
> > >>
> > >>
> > > ACK
> > >
> > 
> > Thanks.
> > 
> > Pushed to:
> > master: 0de860318332114ca739a8dd45902f7cc9a3c722
> > ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591
> 
> This patch is somehow broken.
> 
> I see that %{kdcproxy_home} has been removed from the spec file but not
> from everywhere, and it is simply undefined.
> 
> On upgrade of my server I have no kdcproxy user and http fails to
> operate complaining that /var/lib/kdcproxy does not exist.

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Jan Cholasta]

On 22.9.2015 15:11, Martin Babinsky wrote:

On 09/22/2015 01:33 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK



Thanks.

Pushed to:
master: 0de860318332114ca739a8dd45902f7cc9a3c722
ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

[Martin Babinsky]

On 09/22/2015 01:33 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code