IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

Browse Source 
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

    net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Alexander Bokovoy
2016-12-12 10:30:51 +02:00
committed by Martin Babinsky
parent 15351ab6e7
commit 38cc01b1c9
2 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
install/share/smb.conf.template
View File

@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME
realm = $REALM realm = $REALM
kerberos method = dedicated keytab kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no create krb5 conf = no
security = user security = user
domain master = yes domain master = yes

22
ipaserver/install/server/upgrade.py
View File

@@ -48,6 +48,7 @@ from ipaserver.install import dnskeysyncinstance
from ipaserver.install import krainstance from ipaserver.install import krainstance
from ipaserver.install import dogtaginstance from ipaserver.install import dogtaginstance
from ipaserver.install import krbinstance from ipaserver.install import krbinstance
from ipaserver.install import adtrustinstance
from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax from ipaserver.install.ldapupdate import BadSyntax
@@ -268,6 +269,26 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file) root_logger.debug('Removing %s from backup', backed_up_file)
def upgrade_adtrust_config():
"""
Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
"""
if not adtrustinstance.ipa_smb_conf_exists():
return
root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
"in Samba configuration]")
args = [paths.NET, "conf", "setparm", "global",
"dedicated keytab file", paths.SAMBA_KEYTAB]
try:
ipautil.run(args)
except ipautil.CalledProcessError as e:
root_logger.warning("Error updating Samba registry: %s", e)
def ca_configure_profiles_acl(ca): def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]') root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1668,6 +1689,7 @@ def upgrade_configuration():
cleanup_kdc(fstore) cleanup_kdc(fstore)
cleanup_adtrust(fstore) cleanup_adtrust(fstore)
upgrade_adtrust_config()
bind = bindinstance.BindInstance(fstore) bind = bindinstance.BindInstance(fstore)
if bind.is_configured() and not bind.is_running(): if bind.is_configured() and not bind.is_running():