URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
 Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623
From 540fa8f81622838815d784fd5295c7a4656caf3c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 20 Mar 2017 06:56:53 +0000
Subject: [PATCH] install: do not assume /etc/krb5.conf.d exists

Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589
---
 .gitignore                          |  1 -
 daemons/ipa-kdb/Makefile.am         | 12 +--------
 daemons/ipa-kdb/ipa-certauth.in     |  5 ----
 freeipa.spec.in                     |  1 -
 install/share/krb5.conf.template    |  7 ++++-
 ipaclient/install/client.py         | 16 +++++++-----
 ipaplatform/base/paths.py           |  2 ++
 ipaplatform/redhat/paths.py         |  1 +
 ipaserver/install/krbinstance.py    |  9 ++++++-
 ipaserver/install/server/upgrade.py | 51 +++++++++++++++++++++++++++++++++++++
 10 files changed, 79 insertions(+), 26 deletions(-)
 delete mode 100644 daemons/ipa-kdb/ipa-certauth.in

diff --git a/.gitignore b/.gitignore
index 8941fd8..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,7 +75,6 @@ freeipa2-dev-doc
 /daemons/dnssec/ipa-ods-exporter.socket
 /daemons/ipa-kdb/ipa_kdb_tests
 /daemons/ipa-kdb/tests/.dirstamp
-/daemons/ipa-kdb/ipa-certauth
 /daemons/ipa-otpd/ipa-otpd
 /daemons/ipa-otpd/ipa-otpd.socket
 /daemons/ipa-otpd/ipa-otpd@.service
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 715666e..a512ab7 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -42,16 +42,6 @@ ipadb_la_SOURCES = 		\
 
 if BUILD_IPA_CERTAUTH_PLUGIN
 ipadb_la_SOURCES += ipa_kdb_certauth.c
-
-
-%: %.in
-	sed \
-		-e 's|@plugindir@|$(plugindir)|g' \
-		'$(srcdir)/$@.in' >$@
-
-krb5confdir = $(sysconfdir)/krb5.conf.d
-krb5conf_DATA = ipa-certauth
-CLEANFILES = $(krb5conf_DATA)
 endif
 
 ipadb_la_LDFLAGS = 		\
@@ -105,7 +95,7 @@ ipa_kdb_tests_LDADD =          \
        -lsss_idmap             \
        $(NULL)
 
-dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in
+dist_noinst_DATA = ipa_kdb.exports
 
 clean-local:
 	rm -f tests/.dirstamp
diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in
deleted file mode 100644
index eda89a2..0000000
--- a/daemons/ipa-kdb/ipa-certauth.in
+++ /dev/null
@@ -1,5 +0,0 @@
-[plugins]
- certauth = {
-  module = ipakdb:@plugindir@/ipadb.so
-  enable_only = ipakdb
- }
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5419ed1..d1bb171 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1167,7 +1167,6 @@ fi
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
 %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
 %dir %{_libexecdir}/ipa/certmonger
 %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
 # NOTE: systemd specific section
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index e8b2ad8..acfeeb3 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,4 +1,4 @@
-includedir /etc/krb5.conf.d/
+$INCLUDES
 includedir /var/lib/sss/pubconf/krb5.include.d/
 
 [logging]
@@ -34,3 +34,8 @@ $OTHER_DOMAIN_REALM_MAPS
     db_library = ipadb.so
   }
 
+[plugins]
+ certauth = {
+  module = ipakdb:$IPADB_SO
+  enable_only = ipakdb
+ }
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 549c9b8..371581a 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -641,14 +641,18 @@ def configure_krb5_conf(
             'value': 'File modified by ipa-client-install'
         },
         krbconf.emptyLine(),
-        {
-            'name': 'includedir',
-            'type': 'option',
-            'value': paths.COMMON_KRB5_CONF_DIR,
-            'delim': ' '
-        }
     ]
 
+    if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+        opts.extend([
+            {
+                'name': 'includedir',
+                'type': 'option',
+                'value': paths.COMMON_KRB5_CONF_DIR,
+                'delim': ' '
+            }
+        ])
+
     # SSSD include dir
     if configure_sssd:
         opts.extend([
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9cf160f..7395f14 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -186,12 +186,14 @@ class BasePathNamespace(object):
     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
     USR_LIB_DIRSRV = "/usr/lib/dirsrv"
     LIB_FIREFOX = "/usr/lib/firefox"
+    KRB5_IPADB_SO = "/usr/lib/krb5/plugins/kdb/ipadb.so"
     LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
     PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so"
     LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
     BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
     USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
     LIB64_FIREFOX = "/usr/lib64/firefox"
+    KRB5_IPADB_SO_64 = "/usr/lib64/krb5/plugins/kdb/ipadb.so"
     LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
     PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
     DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index 91ba9d0..af44d02 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,7 @@
 class RedHatPathNamespace(BasePathNamespace):
     # https://docs.python.org/2/library/platform.html#cross-platform
     if sys.maxsize > 2**32:
+        KRB5_IPADB_SO = BasePathNamespace.KRB5_IPADB_SO_64
         LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
         PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
         BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..90b2f69 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -207,6 +207,11 @@ def __start_instance(self):
             root_logger.critical("krb5kdc service failed to start")
 
     def __setup_sub_dict(self):
+        if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+            includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
+        else:
+            includes = ''
+
         self.sub_dict = dict(FQDN=self.fqdn,
                              IP=self.ip,
                              PASSWORD=self.kdc_password,
@@ -220,7 +225,9 @@ def __setup_sub_dict(self):
                              KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                              KDC_CERT=paths.KDC_CERT,
                              KDC_KEY=paths.KDC_KEY,
-                             CACERT_PEM=paths.CACERT_PEM)
+                             CACERT_PEM=paths.CACERT_PEM,
+                             INCLUDES=includes,
+                             IPADB_SO=paths.KRB5_IPADB_SO)
 
         # IPA server/KDC is not a subdomain of default domain
         # Proper domain-realm mapping needs to be specified
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..c766cb2 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -258,6 +258,56 @@ def update_dbmodules(realm, filename=paths.KRB5_CONF):
     fd.close()
     root_logger.debug('%s updated', filename)
 
+
+def update_plugins():
+    filename = paths.KRB5_CONF
+    newfile = []
+    found_plugins = False
+    found_certauth = False
+    prefix = ''
+
+    root_logger.info(
+        '[Verifying that KDC configuration is using ipa-kdb certauth plugin]')
+    fd = open(filename)
+
+    lines = fd.readlines()
+    fd.close()
+
+    module_line = '  module = ipakdb:%s\n' % paths.KRB5_IPADB_SO
+    if module_line in lines:
+        root_logger.debug('plugins already updated in %s', filename)
+        return
+
+    for line in lines:
+        if line.startswith('[plugins]'):
+            found_plugins = True
+        if found_plugins and line.find('certauth') > -1:
+            found_certauth = True
+            prefix = '#'
+        if found_plugins and line.find('}') > -1 and found_certauth:
+            found_certauth = False
+            newfile.append('#%s' % line)
+            prefix = ''
+            continue
+
+        newfile.append('%s%s' % (prefix, line))
+
+    # Append updated dbmodules information
+    if not found_plugins:
+        newfile.append('\n')
+        newfile.append('[plugins]\n')
+    newfile.append(' certauth = {\n')
+    newfile.append(module_line)
+    newfile.append('  enable_only = ipakdb\n')
+    newfile.append(' }\n')
+
+    # Write out new file
+    fd = open(filename, 'w')
+    fd.write("".join(newfile))
+    fd.close()
+    root_logger.debug('%s updated', filename)
+
+
 def cleanup_kdc(fstore):
     """
     Clean up old KDC files if they exist. We need to remove the actual
@@ -1630,6 +1680,7 @@ def upgrade_configuration():
     ca.unconfigure_certmonger_renewal_guard()
 
     update_dbmodules(api.env.realm)
+    update_plugins()
     uninstall_ipa_kpasswd()
     uninstall_ipa_memcached()
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to