IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install: do not assume /etc/krb5.conf.d exists

Browse Source 
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
This commit is contained in:
Jan Cholasta
2017-03-20 06:56:53 +00:00
committed by Martin Babinsky
parent d308abac2e
commit d5fc0ddd87
8 changed files with 56 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -77,7 +77,6 @@ freeipa2-dev-doc
/daemons/dnssec/ipa-ods-exporter.socket /daemons/dnssec/ipa-ods-exporter.socket
/daemons/ipa-kdb/ipa_kdb_tests /daemons/ipa-kdb/ipa_kdb_tests
/daemons/ipa-kdb/tests/.dirstamp /daemons/ipa-kdb/tests/.dirstamp
/daemons/ipa-kdb/ipa-certauth
/daemons/ipa-otpd/ipa-otpd /daemons/ipa-otpd/ipa-otpd
/daemons/ipa-otpd/ipa-otpd.socket /daemons/ipa-otpd/ipa-otpd.socket
/daemons/ipa-otpd/ipa-otpd@.service /daemons/ipa-otpd/ipa-otpd@.service

6
daemons/ipa-kdb/Makefile.am
View File

@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports
if BUILD_IPA_CERTAUTH_PLUGIN if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c ipadb_la_SOURCES += ipa_kdb_certauth.c
krb5confdir = $(sysconfdir)/krb5.conf.d
krb5conf_DATA = ipa-certauth
else
dist_noinst_DATA += ipa-certauth
endif endif
ipadb_la_LDFLAGS = \ ipadb_la_LDFLAGS = \

5
daemons/ipa-kdb/ipa-certauth
View File

@@ -1,5 +0,0 @@
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}

1
freeipa.spec.in
View File

@@ -1213,7 +1213,6 @@ fi
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
%dir %{_libexecdir}/ipa/certmonger %dir %{_libexecdir}/ipa/certmonger
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
# NOTE: systemd specific section # NOTE: systemd specific section

7
install/share/krb5.conf.template
View File

@@ -1,4 +1,4 @@
includedir /etc/krb5.conf.d/ $INCLUDES
includedir /var/lib/sss/pubconf/krb5.include.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] [logging]
@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS
db_library = ipadb.so db_library = ipadb.so
} }
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}

16
ipaclient/install/client.py
View File

@@ -640,14 +640,18 @@ def configure_krb5_conf(
'value': 'File modified by ipa-client-install' 'value': 'File modified by ipa-client-install'
}, },
krbconf.emptyLine(), krbconf.emptyLine(),
{
'name': 'includedir',
'type': 'option',
'value': paths.COMMON_KRB5_CONF_DIR,
'delim': ' '
}
] ]
if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
opts.extend([
{
'name': 'includedir',
'type': 'option',
'value': paths.COMMON_KRB5_CONF_DIR,
'delim': ' '
}
])
# SSSD include dir # SSSD include dir
if configure_sssd: if configure_sssd:
opts.extend([ opts.extend([

8
ipaserver/install/krbinstance.py
View File

@@ -249,6 +249,11 @@ class KrbInstance(service.Service):
root_logger.critical("krb5kdc service failed to start") root_logger.critical("krb5kdc service failed to start")
def __setup_sub_dict(self): def __setup_sub_dict(self):
if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
else:
includes = ''
self.sub_dict = dict(FQDN=self.fqdn, self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip, IP=self.ip,
PASSWORD=self.kdc_password, PASSWORD=self.kdc_password,
@@ -264,7 +269,8 @@ class KrbInstance(service.Service):
KDC_KEY=paths.KDC_KEY, KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM, CACERT_PEM=paths.CACERT_PEM,
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
INCLUDES=includes)
# IPA server/KDC is not a subdomain of default domain # IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified # Proper domain-realm mapping needs to be specified

33
ipaserver/install/server/upgrade.py
View File

@@ -1553,6 +1553,38 @@ def setup_pkinit(krb):
aug.close() aug.close()
def enable_certauth(krb):
root_logger.info("[Enable certauth]")
aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
loadpath=paths.USR_SHARE_IPA_DIR)
try:
aug.transform('IPAKrb5', paths.KRB5_CONF)
aug.load()
path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
modified = False
if not aug.match(path):
aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
aug.set('{}/enable_only'.format(path), 'ipakdb')
modified = True
if modified:
try:
aug.save()
except IOError:
for error_path in aug.match('/augeas//error'):
root_logger.error('augeas: %s', aug.get(error_path))
raise
if krb.is_running():
krb.stop()
krb.start()
finally:
aug.close()
def disable_httpd_system_trust(http): def disable_httpd_system_trust(http):
ca_certs = [] ca_certs = []
@@ -1846,6 +1878,7 @@ def upgrade_configuration():
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM) CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
krb.add_anonymous_principal() krb.add_anonymous_principal()
setup_pkinit(krb) setup_pkinit(krb)
enable_certauth(krb)
if not ds_running: if not ds_running:
ds.stop(ds_serverid) ds.stop(ds_serverid)