ipa-adtrust-install does not re-add member in adtrust agents group

When a CIFS service exists and adtrust agents group does not have it as a member attribute (for whatever reason), re-running ipa-adtrust-install does not fix the inconsistency. Make the installer more robust by being able to fix the inconsistency. https://fedorahosted.org/freeipa/ticket/4464 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-12-28 01:41:14 -06:00 · 2014-08-01 16:34:33 +02:00 · 2014-08-01 16:34:33 +02:00 · 7caed6ecfb
commit 7caed6ecfb
parent 34de95545d
1 changed files with 21 additions and 18 deletions
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@ -497,28 +497,31 @@ class ADTRUSTInstance(service.Service):
    def __setup_principal(self):
        try:
            api.Command.service_add(unicode(self.cifs_principal))
-            # Add the principal to the 'adtrust agents' group
+        except errors.DuplicateEntry:
            # as 389-ds only operates with GroupOfNames, we have to use
            # the principal's proper dn as defined in self.cifs_agent
            try:
                current = self.admin_conn.get_entry(self.smb_dn)
                members = current.get('member', [])
                if not(self.cifs_agent in members):
                    current["member"] = members + [self.cifs_agent]
                    self.admin_conn.update_entry(current)
            except errors.NotFound:
                entry = self.admin_conn.make_entry(
                    self.smb_dn,
                    objectclass=["top", "GroupOfNames"],
                    cn=[self.smb_dn['cn']],
                    member=[self.cifs_agent],
                )
                self.admin_conn.add_entry(entry)
        except Exception:
            # CIFS principal already exists, it is not the first time
            # adtrustinstance is managed
            # That's fine, we we'll re-extract the key again.
            pass
        except Exception, e:
            self.print_msg("Cannot add CIFS service: %s" % e)
        # Add the principal to the 'adtrust agents' group
        # as 389-ds only operates with GroupOfNames, we have to use
        # the principal's proper dn as defined in self.cifs_agent
        try:
            current = self.admin_conn.get_entry(self.smb_dn)
            members = current.get('member', [])
            if not(self.cifs_agent in members):
                current["member"] = members + [self.cifs_agent]
                self.admin_conn.update_entry(current)
        except errors.NotFound:
            entry = self.admin_conn.make_entry(
                self.smb_dn,
                objectclass=["top", "GroupOfNames"],
                cn=[self.smb_dn['cn']],
                member=[self.cifs_agent],
            )
            self.admin_conn.add_entry(entry)
        self.clean_samba_keytab()