URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623
From 540fa8f81622838815d784fd5295c7a4656caf3c Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 20 Mar 2017 06:56:53 +0000 Subject: [PATCH] install: do not assume /etc/krb5.conf.d exists Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if /etc/krb5.conf.d exists. Do not rely on /etc/krb5.conf.d to enable the certauth plugin. This fixes install on platforms which do not have /etc/krb5.conf.d. https://pagure.io/freeipa/issue/6589 --- .gitignore | 1 - daemons/ipa-kdb/Makefile.am | 12 +-------- daemons/ipa-kdb/ipa-certauth.in | 5 ---- freeipa.spec.in | 1 - install/share/krb5.conf.template | 7 ++++- ipaclient/install/client.py | 16 +++++++----- ipaplatform/base/paths.py | 2 ++ ipaplatform/redhat/paths.py | 1 + ipaserver/install/krbinstance.py | 9 ++++++- ipaserver/install/server/upgrade.py | 51 +++++++++++++++++++++++++++++++++++++ 10 files changed, 79 insertions(+), 26 deletions(-) delete mode 100644 daemons/ipa-kdb/ipa-certauth.in diff --git a/.gitignore b/.gitignore index 8941fd8..90d7d23 100644 --- a/.gitignore +++ b/.gitignore @@ -75,7 +75,6 @@ freeipa2-dev-doc /daemons/dnssec/ipa-ods-exporter.socket /daemons/ipa-kdb/ipa_kdb_tests /daemons/ipa-kdb/tests/.dirstamp -/daemons/ipa-kdb/ipa-certauth /daemons/ipa-otpd/ipa-otpd /daemons/ipa-otpd/ipa-otpd.socket /daemons/ipa-otpd/ipa-otpd@.service diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 715666e..a512ab7 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -42,16 +42,6 @@ ipadb_la_SOURCES = \ if BUILD_IPA_CERTAUTH_PLUGIN ipadb_la_SOURCES += ipa_kdb_certauth.c - - -%: %.in - sed \ - -e 's|@plugindir@|$(plugindir)|g' \ - '$(srcdir)/$@.in' >$@ - -krb5confdir = $(sysconfdir)/krb5.conf.d -krb5conf_DATA = ipa-certauth -CLEANFILES = $(krb5conf_DATA) endif ipadb_la_LDFLAGS = \ @@ -105,7 +95,7 @@ ipa_kdb_tests_LDADD = \ -lsss_idmap \ $(NULL) -dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in +dist_noinst_DATA = ipa_kdb.exports clean-local: rm -f tests/.dirstamp diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in deleted file mode 100644 index eda89a2..0000000 --- a/daemons/ipa-kdb/ipa-certauth.in +++ /dev/null @@ -1,5 +0,0 @@ -[plugins] - certauth = { - module = ipakdb:@plugindir@/ipadb.so - enable_only = ipakdb - } diff --git a/freeipa.spec.in b/freeipa.spec.in index 5419ed1..d1bb171 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1167,7 +1167,6 @@ fi %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth %dir %{_libexecdir}/ipa/certmonger %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index e8b2ad8..acfeeb3 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -1,4 +1,4 @@ -includedir /etc/krb5.conf.d/ +$INCLUDES includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] @@ -34,3 +34,8 @@ $OTHER_DOMAIN_REALM_MAPS db_library = ipadb.so } +[plugins] + certauth = { + module = ipakdb:$IPADB_SO + enable_only = ipakdb + } diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 549c9b8..371581a 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -641,14 +641,18 @@ def configure_krb5_conf( 'value': 'File modified by ipa-client-install' }, krbconf.emptyLine(), - { - 'name': 'includedir', - 'type': 'option', - 'value': paths.COMMON_KRB5_CONF_DIR, - 'delim': ' ' - } ] + if os.path.exists(paths.COMMON_KRB5_CONF_DIR): + opts.extend([ + { + 'name': 'includedir', + 'type': 'option', + 'value': paths.COMMON_KRB5_CONF_DIR, + 'delim': ' ' + } + ]) + # SSSD include dir if configure_sssd: opts.extend([ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..7395f14 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -186,12 +186,14 @@ class BasePathNamespace(object): BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/" USR_LIB_DIRSRV = "/usr/lib/dirsrv" LIB_FIREFOX = "/usr/lib/firefox" + KRB5_IPADB_SO = "/usr/lib/krb5/plugins/kdb/ipadb.so" LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so" PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so" LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/" BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so" USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv" LIB64_FIREFOX = "/usr/lib64/firefox" + KRB5_IPADB_SO_64 = "/usr/lib64/krb5/plugins/kdb/ipadb.so" LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so" PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so" DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit" diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py index 91ba9d0..af44d02 100644 --- a/ipaplatform/redhat/paths.py +++ b/ipaplatform/redhat/paths.py @@ -31,6 +31,7 @@ class RedHatPathNamespace(BasePathNamespace): # https://docs.python.org/2/library/platform.html#cross-platform if sys.maxsize > 2**32: + KRB5_IPADB_SO = BasePathNamespace.KRB5_IPADB_SO_64 LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64 PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64 BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64 diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d936cc5..90b2f69 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -207,6 +207,11 @@ def __start_instance(self): root_logger.critical("krb5kdc service failed to start") def __setup_sub_dict(self): + if os.path.exists(paths.COMMON_KRB5_CONF_DIR): + includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR) + else: + includes = '' + self.sub_dict = dict(FQDN=self.fqdn, IP=self.ip, PASSWORD=self.kdc_password, @@ -220,7 +225,9 @@ def __setup_sub_dict(self): KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, - CACERT_PEM=paths.CACERT_PEM) + CACERT_PEM=paths.CACERT_PEM, + INCLUDES=includes, + IPADB_SO=paths.KRB5_IPADB_SO) # IPA server/KDC is not a subdomain of default domain # Proper domain-realm mapping needs to be specified diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..c766cb2 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -258,6 +258,56 @@ def update_dbmodules(realm, filename=paths.KRB5_CONF): fd.close() root_logger.debug('%s updated', filename) + +def update_plugins(): + filename = paths.KRB5_CONF + newfile = [] + found_plugins = False + found_certauth = False + prefix = '' + + root_logger.info( + '[Verifying that KDC configuration is using ipa-kdb certauth plugin]') + fd = open(filename) + + lines = fd.readlines() + fd.close() + + module_line = ' module = ipakdb:%s\n' % paths.KRB5_IPADB_SO + if module_line in lines: + root_logger.debug('plugins already updated in %s', filename) + return + + for line in lines: + if line.startswith('[plugins]'): + found_plugins = True + if found_plugins and line.find('certauth') > -1: + found_certauth = True + prefix = '#' + if found_plugins and line.find('}') > -1 and found_certauth: + found_certauth = False + newfile.append('#%s' % line) + prefix = '' + continue + + newfile.append('%s%s' % (prefix, line)) + + # Append updated dbmodules information + if not found_plugins: + newfile.append('\n') + newfile.append('[plugins]\n') + newfile.append(' certauth = {\n') + newfile.append(module_line) + newfile.append(' enable_only = ipakdb\n') + newfile.append(' }\n') + + # Write out new file + fd = open(filename, 'w') + fd.write("".join(newfile)) + fd.close() + root_logger.debug('%s updated', filename) + + def cleanup_kdc(fstore): """ Clean up old KDC files if they exist. We need to remove the actual @@ -1630,6 +1680,7 @@ def upgrade_configuration(): ca.unconfigure_certmonger_renewal_guard() update_dbmodules(api.env.realm) + update_plugins() uninstall_ipa_kpasswd() uninstall_ipa_memcached()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code