[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/629/head:pr629
git checkout pr629
From 195b5b98defa5ac3ad90d75bc411a315fccfdd52 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 20 Mar 2017 13:23:44 +0200
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
---
ipaserver/install/adtrustinstance.py | 12
1 file changed, 12 insertions(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0b18985..b4db055 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,6 +27,7 @@
import string
import struct
import re
+import socket
import six
@@ -689,6 +690,15 @@ def __enable_compat_tree(self):
except Exception as e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
+def __validate_server_hostname(self):
+hostname = socket.gethostname()
+if hostname != self.fqdn:
+raise ValueError("Host reports different name than configured: "
+ "'%s' versus '%s'. Samba requires to have "
+ "the same hostname or Kerberos principal "
+ "'cifs/%s' will not be found in Samba keytab." %
+ (hostname, self.fqdn, self.fqdn))
+
def __start(self):
try:
self.start()
@@ -804,6 +814,8 @@ def find_local_id_range(self):
api.Backend.ldap2.add_entry(entry)
def create_instance(self):
+self.step("validate server hostname",
+ self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/629/head:pr629
git checkout pr629
From f79ec2d56bc8a16765633156a11d4cd9210795d9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 20 Mar 2017 13:23:44 +0200
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
---
ipaserver/install/adtrustinstance.py | 11 +++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0b18985..3527ca9 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -689,6 +689,15 @@ def __enable_compat_tree(self):
except Exception as e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
+def __validate_server_hostname(self):
+hostname = socket.gethostname()
+if hostname != self.fqdn:
+raise ValueError("Host reports different name than configured: "
+ "'%s' versus '%s'. Samba requires to have "
+ "the same hostname or Kerberos principal "
+ "'cifs/%s' will not be found in Samba keytab." %
+ (hostname, self.fqdn, self.fqdn))
+
def __start(self):
try:
self.start()
@@ -804,6 +813,8 @@ def find_local_id_range(self):
api.Backend.ldap2.add_entry(entry)
def create_instance(self):
+self.step("validate server hostname",
+ self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
