Drop server tmpfile, ship upstream one, and create ipaapi/kdcproxy users/groups on install and add www-data to ipaapi group.

debian/changelog

@@ -27,6 +27,8 @@ freeipa (4.6.2-1) UNRELEASED; urgency=medium
     drop d/autoreconf.
   * local-options: Ignore some files not on tarballs.
   * rules: Migrate to dh_missing.
+  * Drop server tmpfile, ship upstream one, and create ipaapi/kdcproxy
+    users/groups on install and add www-data to ipaapi group.
 
  -- Timo Aaltonen <tjaalton@debian.org>  Tue, 14 Mar 2017 16:55:45 +0200
 

debian/freeipa-client.tmpfile

@@ -1 +1 @@
-d /var/run/ipa 0700 root root
+d /var/run/ipa 0711 root root

debian/freeipa-server.postinst

@@ -2,6 +2,24 @@
 set -e
 
 if [ "$1" = configure ]; then
+    if ! getent passwd kdcproxy  > $OUT; then
+        adduser --quiet --system --home / \
+            --shell /usr/sbin/nologin --group \
+            --no-create-home --gecos "IPA KDC Proxy User" \
+            kdcproxy > $OUT
+    fi
+    if ! getent passwd ipaapi  > $OUT; then
+        adduser --quiet --system --home / \
+            --shell /usr/sbin/nologin --group \
+            --no-create-home --gecos "IPA Framework User" \
+            ipaapi > $OUT
+    fi
+
+    # add www-data to ipaapi group
+    if ! id -Gn www-data | grep '\bipaapi\b' >/dev/null; then
+        usermod www-data -a -G ipaapi
+    fi
+
     if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
         . /usr/share/apache2/apache2-maintscript-helper
 	if [ ! -e /etc/apache2/mods-enabled/auth_gssapi.load ]; then

debian/freeipa-server.tmpfile

@@ -1,3 +0,0 @@
-d /var/run/apache2/ipa 0700 www-data www-data
-d /var/run/apache2/ipa/clientcaches 0700 www-data www-data
-d /var/run/apache2/ipa/krbcache 0700 www-data www-data