Move certauth configuration into a server krb5.conf template

Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-04-11 18:11:06 -04:00 · 2019-04-11 18:11:06 -04:00 · 39e3704a06
commit 39e3704a06
parent c7b938a1d5
5 changed files with 19 additions and 30 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -51,6 +51,7 @@ dist_app_DATA =				\
 	kdc_extensions.template		\
 	kdc_req.conf.template		\
 	krb5.conf.template		\
+	freeipa-server.template		\
 	krb5.ini.template		\
 	krb.con.template		\
 	krbrealm.con.template		\
--- a/install/share/freeipa-server.template
+++ b/install/share/freeipa-server.template
@ -0,0 +1,5 @@
+[plugins]
+    certauth = {
+        module = ipakdb:kdb/ipadb.so
+        enable_only = ipakdb
+    }
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -74,6 +74,7 @@ class BasePathNamespace:
    COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/"
    KRB5_CONF = "/etc/krb5.conf"
    KRB5_FREEIPA = COMMON_KRB5_CONF_DIR + "freeipa"
+    KRB5_FREEIPA_SERVER = COMMON_KRB5_CONF_DIR + "freeipa-server"
    KRB5_KEYTAB = "/etc/krb5.keytab"
    LDAP_CONF = "/etc/ldap.conf"
    LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -349,6 +349,7 @@ class KrbInstance(service.Service):
    def __configure_instance(self):
        self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
        self.__template_file(paths.KRB5_CONF)
+        self.__template_file(paths.KRB5_FREEIPA_SERVER)
        self.__template_file(paths.KRB5_FREEIPA, client_template=True)
        self.__template_file(paths.HTML_KRB5_INI)
        self.__template_file(paths.KRB_CON)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1654,36 +1654,17 @@ def setup_spake(krb):
        aug.close()


-def enable_certauth(krb):
-    logger.info("[Enable certauth]")
+# Currently, this doesn't support templating.
+def enable_server_snippet():
+    logger.info("[Enable server krb5.conf snippet]")
+    template = os.path.join(
+        paths.USR_SHARE_IPA_DIR,
+        os.path.basename(paths.KRB5_FREEIPA_SERVER) + ".template"
+    )
+    shutil.copy(template, paths.KRB5_FREEIPA_SERVER)
+    os.chmod(paths.KRB5_FREEIPA_SERVER, 0o644)

-    aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
-                 loadpath=paths.USR_SHARE_IPA_DIR)
-    try:
-        aug.transform('IPAKrb5', paths.KRB5_CONF)
-        aug.load()
-
-        path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
-        modified = False
-
-        if not aug.match(path):
-            aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
-            aug.set('{}/enable_only'.format(path), 'ipakdb')
-            modified = True
-
-        if modified:
-            try:
-                aug.save()
-            except IOError:
-                for error_path in aug.match('/augeas//error'):
-                    logger.error('augeas: %s', aug.get(error_path))
-                raise
-
-            if krb.is_running():
-                krb.stop()
-            krb.start()
-    finally:
-        aug.close()
+    tasks.restore_context(paths.KRB5_FREEIPA_SERVER)


 def ntpd_cleanup(fqdn, fstore):
@ -2144,7 +2125,7 @@ def upgrade_configuration():
    krb.add_anonymous_principal()
    setup_spake(krb)
    setup_pkinit(krb)
-    enable_certauth(krb)
+    enable_server_snippet()

    if not ds_running:
        ds.stop(ds.serverid)