adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

    net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Alexander Bokovoy 2016-12-12 10:30:51 +02:00 committed by Martin Babinsky
parent 15351ab6e7
commit 38cc01b1c9
2 changed files with 23 additions and 1 deletions

View File

@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes

View File

@ -48,6 +48,7 @@ from ipaserver.install import dnskeysyncinstance
from ipaserver.install import krainstance
from ipaserver.install import dogtaginstance
from ipaserver.install import krbinstance
from ipaserver.install import adtrustinstance
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax
@ -268,6 +269,26 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file)
def upgrade_adtrust_config():
"""
Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
"""
if not adtrustinstance.ipa_smb_conf_exists():
return
root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
"in Samba configuration]")
args = [paths.NET, "conf", "setparm", "global",
"dedicated keytab file", paths.SAMBA_KEYTAB]
try:
ipautil.run(args)
except ipautil.CalledProcessError as e:
root_logger.warning("Error updating Samba registry: %s", e)
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@ -1668,6 +1689,7 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
upgrade_adtrust_config()
bind = bindinstance.BindInstance(fstore)
if bind.is_configured() and not bind.is_running():