IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

adtrust: make sure that runtime hostname result is consistent with the configuration

Browse Source 
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.

Also host name and principal name must have the same case.

Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:

    [20/21]: starting CIFS services
    ipa         : CRITICAL CIFS services failed to start

    where samba logs have this:

    [2017/03/20 06:34:27.385307,  0] ipa_sam.c:4193(bind_callback_cleanup)
      kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
    [2017/03/20 06:34:27.385476,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
      Connection to LDAP server failed for the 16 try!

Fixes https://pagure.io/freeipa/issue/6786

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Alexander Bokovoy
2017-03-20 13:23:44 +02:00
committed by Martin Basti
parent 5c22f905d4
commit 0d817ae63a
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ipaserver/install/adtrustinstance.py
View File

@@ -27,6 +27,7 @@ import uuid
import string
import struct
import re
import socket
import six
@@ -689,6 +690,15 @@ class ADTRUSTInstance(service.Service):
except Exception as e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
def __validate_server_hostname(self):
hostname = socket.gethostname()
if hostname != self.fqdn:
raise ValueError("Host reports different name than configured: "
"'%s' versus '%s'. Samba requires to have "
"the same hostname or Kerberos principal "
"'cifs/%s' will not be found in Samba keytab." %
(hostname, self.fqdn, self.fqdn))
def __start(self):
try:
self.start()
@@ -804,6 +814,8 @@ class ADTRUSTInstance(service.Service):
api.Backend.ldap2.add_entry(entry)
def create_instance(self):
self.step("validate server hostname",
self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)