[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 From 195b5b98defa5ac3ad90d75bc411a315fccfdd52 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 20 Mar 2017 13:23:44 +0200 Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent with the configuration FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 --- ipaserver/install/adtrustinstance.py | 12 1 file changed, 12 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0b18985..b4db055 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -27,6 +27,7 @@ import string import struct import re +import socket import six @@ -689,6 +690,15 @@ def __enable_compat_tree(self): except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) +def __validate_server_hostname(self): +hostname = socket.gethostname() +if hostname != self.fqdn: +raise ValueError("Host reports different name than configured: " + "'%s' versus '%s'. Samba requires to have " + "the same hostname or Kerberos principal " + "'cifs/%s' will not be found in Samba keytab." % + (hostname, self.fqdn, self.fqdn)) + def __start(self): try: self.start() @@ -804,6 +814,8 @@ def find_local_id_range(self): api.Backend.ldap2.add_entry(entry) def create_instance(self): +self.step("validate server hostname", + self.__validate_server_hostname) self.step("stopping smbd", self.__stop) self.step("creating samba domain object", \ self.__create_samba_domain_object) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/629/head:pr629 git checkout pr629 From f79ec2d56bc8a16765633156a11d4cd9210795d9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 20 Mar 2017 13:23:44 +0200 Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent with the configuration FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. `ipasam` module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, `ipasam` will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname. Also host name and principal name must have the same case. Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this: [20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try! Fixes https://pagure.io/freeipa/issue/6786 --- ipaserver/install/adtrustinstance.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 0b18985..3527ca9 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -689,6 +689,15 @@ def __enable_compat_tree(self): except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) +def __validate_server_hostname(self): +hostname = socket.gethostname() +if hostname != self.fqdn: +raise ValueError("Host reports different name than configured: " + "'%s' versus '%s'. Samba requires to have " + "the same hostname or Kerberos principal " + "'cifs/%s' will not be found in Samba keytab." % + (hostname, self.fqdn, self.fqdn)) + def __start(self): try: self.start() @@ -804,6 +813,8 @@ def find_local_id_range(self): api.Backend.ldap2.add_entry(entry) def create_instance(self): +self.step("validate server hostname", + self.__validate_server_hostname) self.step("stopping smbd", self.__stop) self.step("creating samba domain object", \ self.__create_samba_domain_object) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code