[Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. https://fedorahosted.org/freeipa/ticket/3102 -- / Alexander Bokovoy From 81f31e5fef0e21cc256bd8f8bffa6e551b72da89 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Oct 2012 09:46:08 +0300 Subject: [PATCH 3/5] Make sure samba{,4}-winbind-krb5-locator package is not installed when trusts are in use Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. https://fedorahosted.org/freeipa/ticket/3102 --- freeipa.spec.in | 9 + 1 file changed, 9 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..a9cb05002831cb85f3446b70572828e6f60c7649 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -230,6 +230,12 @@ Requires: samba4 Requires: samba4-winbind %endif Requires: libsss_idmap +# There should be no winbind-based krb5 locator plugin installed on the server where +# trusts are configured since the configurations basically contradict each other +Conflicts: samba4-winbind-krb5-locator +Conflicts: samba-winbind-krb5-locator +Obsoletes: samba4-winbind-krb5-locator +Obsoletes: samba-winbind-krb5-locator %description server-trust-ad Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. @@ -786,6 +792,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Wed Oct 10 2012 Alexander Bokovoy aboko...@redhat.com - 2.99.0-49 +- Make sure server-trust-ad subpackage conflicts with samba{,4}-winbind-krb5-locator + * Mon Oct 8 2012 Martin Kosek mko...@redhat.com - 2.99.0-48 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca -- 1.7.12 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy From ce35a07c652bfafd68c2be6878d92675f15d810c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Oct 2012 09:46:08 +0300 Subject: [PATCH 3/5] Make sure samba{,4}-winbind-krb5-locator package is not used when trusts are in going to be configured Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, use alternatives mechanism to turn off the locator plugin by symlinking it to /dev/null. https://fedorahosted.org/freeipa/ticket/3102 --- freeipa.spec.in | 30 ++ 1 file changed, 30 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..97aa501b3153243ddb213c1b6d85d7a46cc00b70 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -230,6 +230,13 @@ Requires: samba4 Requires: samba4-winbind %endif Requires: libsss_idmap +# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 +# on the installes where server-trust-ad subpackage is installed because +# IPA AD trusts cannot be used at the same time with the locator plugin +# since Winbindd will be configured in a different mode +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives %description server-trust-ad Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. @@ -438,6 +445,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfil mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ +mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + %if 0%{?fedora} = 16 # Default to systemd initscripts for F16 and above mkdir -p %{buildroot}%{_unitdir} @@ -568,6 +578,22 @@ if [ $? == 0 -a ${SELINUXTYPE} == targeted -a -f ${FILE_CONTEXT}.%{name} ]; t rm -f ${FILE_CONTEXT}.%name fi fi + +%postun server-trust-ad +if [ $1 -ge 1 ]; then + if [ `readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so` == /dev/null ]; then + %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null + fi +fi + +%post server-trust-ad +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so /dev/null 90 + +%preun server-trust-ad +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null +fi %endif @@ -733,6 +759,7 @@ fi %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %endif %files client @@ -786,6 +813,10 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Wed Oct 10 2012 Alexander Bokovoy aboko...@redhat.com - 2.99.0-49 +- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so + plugin to /dev/null since they cannot be used when trusts are configured + * Mon Oct 8 2012 Martin Kosek mko...@redhat.com - 2.99.0-48 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca -- 1.7.12 ___
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. Attached is the patch for samba (f18, rawhide). -- / Alexander Bokovoy From a78139d777deab75e3bf500472d88cba6a720484 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Oct 2012 12:21:42 +0300 Subject: [PATCH] Move winbind_krb5_locator.so to back to %_libdir and use alternatives instead This is required to support IPA AD trusts where winbind_krb5_locator.so should be disabled. The only way to disable it without uninstalling the package is to make it configurable via alternatives system. --- samba.spec | 36 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/samba.spec b/samba.spec index 292fd7e90221795982788dc7a7606fa907dfa4e3..a3cc66b326f7cf83b4c81939aa70d35b80fcae0b 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 152 +%define main_release 153 %define samba_version 4.0.0 %define talloc_version 2.0.7 @@ -279,6 +279,14 @@ Requires: %{name}-libs = %{samba_depver} Provides: samba4-winbind-krb5-locator = %{samba_depver} Obsoletes: samba4-winbind-krb5-locator %{samba_depver} +# Handle winbind_krb5_locator.so as alternatives to allow +# IPA AD trusts case where it should not be used by libkrb5 +# The plugin will be diverted to /dev/null by the FreeIPA +# freeipa-server-trust-ad subpackage due to higher priority +# and restored to the proper one on uninstall +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives %description winbind-krb5-locator The winbind krb5 locator is a plugin for the system kerberos library to allow @@ -538,8 +546,7 @@ done # winbind krb5 locator install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 -install -m 755 %{buildroot}/%{_libdir}/winbind_krb5_locator.so %{buildroot}/%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -rm -f %{buildroot}/%{_libdir}/winbind_krb5_locator.so +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # cleanup stuff that does not belong here rm -f %{buildroot}/%{_mandir}/man3/ldb.3* @@ -557,6 +564,7 @@ rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp # Fix up permission on perl install. %{_fixperms} %{buildroot}%{perl_vendorlib} + # Remove stuff the buildsystem did not handle correctly rm -f %{buildroot}%{_libdir}/security/pam_smbpass.so rm -f %{buildroot}%{python_sitelib}/tevent.py @@ -622,6 +630,22 @@ rm -f %{buildroot}%{python_sitelib}/tevent.py %postun -n libwbclient -p /sbin/ldconfig %endif # with_libwbclient +%postun winbind-krb5-locator +if [ $1 -ge 1 ]; then +if [ `readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so` == %{_libdir}/winbind_krb5_locator.so ]; then +%{_sbindir}/alternatives --set winbind_krb5_locator %{_libdir}/winbind_krb5_locator.so +fi +fi + +%post winbind-krb5-locator +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ +winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10 + +%preun winbind-krb5-locator +if [ $1 -eq 0 ]; then +%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so +fi + %clean rm -rf %{buildroot} @@ -905,7 +929,8 @@ rm -rf %{buildroot} %files winbind-krb5-locator %defattr(-,root,root)
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy it works for me as well, so ACK. But I think we should add some minimal version to 'Requires: samba4' as well to make sure that it will work with the installed samba version. Shall we add this with a second patch later when the packages are available or hold the whole patch? bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, 10 Oct 2012, Sumit Bose wrote: On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy it works for me as well, so ACK. But I think we should add some minimal version to 'Requires: samba4' as well to make sure that it will work with the installed samba version. Shall we add this with a second patch later when the packages are available or hold the whole patch? Since alternatives do not change the target if it is not a symlink, we can safely make a second patch once Andreas makes new packages available. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wednesday 10 October 2012 15:40:17 Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Sumit Bose wrote: On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy it works for me as well, so ACK. But I think we should add some minimal version to 'Requires: samba4' as well to make sure that it will work with the installed samba version. Shall we add this with a second patch later when the packages are available or hold the whole patch? Since alternatives do not change the target if it is not a symlink, we can safely make a second patch once Andreas makes new packages available. Packages with the patch are build and available at: https://admin.fedoraproject.org/updates/samba-4.0.0-153.fc18.rc2 RHEL6 packages are building and will be available in a few hours. -- andreas -- Andreas Schneider GPG-ID: 8B7EB4B8 Red Hat a...@redhat.com Samba Team a...@samba.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
On Wed, 2012-10-10 at 17:57 +0200, Andreas Schneider wrote: On Wednesday 10 October 2012 15:40:17 Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Sumit Bose wrote: On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy it works for me as well, so ACK. But I think we should add some minimal version to 'Requires: samba4' as well to make sure that it will work with the installed samba version. Shall we add this with a second patch later when the packages are available or hold the whole patch? Since alternatives do not change the target if it is not a symlink, we can safely make a second patch once Andreas makes new packages available. Packages with the patch are build and available at: https://admin.fedoraproject.org/updates/samba-4.0.0-153.fc18.rc2 RHEL6 packages are building and will be available in a few hours. Tested with all packages in place and after an upgrade from 2.2.0 to 3.0 ACK all around. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use
Simo Sorce wrote: On Wed, 2012-10-10 at 17:57 +0200, Andreas Schneider wrote: On Wednesday 10 October 2012 15:40:17 Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Sumit Bose wrote: On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Alexander Bokovoy wrote: Hi, Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, make sure there is conflict that will force removing samba{,4}-winbind-krb5-locator package when -server-trust-ad subpackage is installed. Please note that since feature-wise the two packages would be conflicting in use, one has to play tricks with rpm to enforce automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes: in addtion to Conflicts: tag. This allows to ensure the two packages never installed together: Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after freeipa-server-trust-ad subpackage is installed. Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator during the install of freeipa-server-trust-ad. Unfortunately, the side-effect of the Obsoletes: tag is that freeipa-server-trust-ad would always be selected from the repository whenever one wants to install samba{,4}-winbind-krb5-locator, so this approach does not work. We can keep pure Conflicts: tags because they would prevent co-install of the packages. They alone would not be able to provide way to solve conflicts. I'm working on a bit more complex variant with alternatives. New patch attached. I verified that it works but in order to make it useful, samba{,4} package needs to be updated to include alternatives for winbind_krb5_locator.so plugin. Working on that now. -- / Alexander Bokovoy it works for me as well, so ACK. But I think we should add some minimal version to 'Requires: samba4' as well to make sure that it will work with the installed samba version. Shall we add this with a second patch later when the packages are available or hold the whole patch? Since alternatives do not change the target if it is not a symlink, we can safely make a second patch once Andreas makes new packages available. Packages with the patch are build and available at: https://admin.fedoraproject.org/updates/samba-4.0.0-153.fc18.rc2 RHEL6 packages are building and will be available in a few hours. Tested with all packages in place and after an upgrade from 2.2.0 to 3.0 ACK all around. Simo. Pushed Alexander's patch to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel