IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use dedicated keytab for Samba

Browse Source 
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.

https://fedorahosted.org/freeipa/ticket/2168
This commit is contained in:
Alexander Bokovoy
2012-02-28 13:23:51 +02:00
committed by Martin Kosek
parent b32204fccc
commit dd244c02dd
2 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/share/smb.conf.template
View File

@@ -1,7 +1,8 @@
[global] [global]
workgroup = $NETBIOS_NAME workgroup = $NETBIOS_NAME
realm = $REALM realm = $REALM
kerberos method = system keytab kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no create krb5 conf = no
security = user security = user
domain master = yes domain master = yes
@@ -10,6 +11,7 @@ log level = 1
max log size = 100000 max log size = 100000
log file = /var/log/samba/log.%m log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://$LDAPI_SOCKET passdb backend = ipasam:ldapi://$LDAPI_SOCKET
disable spoolss = yes
ldapsam:trusted=yes ldapsam:trusted=yes
ldap ssl = off ldap ssl = off
ldap admin dn = $SMB_DN ldap admin dn = $SMB_DN

27
ipaserver/install/adtrustinstance.py
View File

@@ -255,7 +255,10 @@ class ADTRUSTInstance(service.Service):
conf_fd.close() conf_fd.close()
def __add_cldap_module(self): def __add_cldap_module(self):
self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict) try:
self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
except:
pass
def __write_smb_registry(self): def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
@@ -279,21 +282,23 @@ class ADTRUSTInstance(service.Service):
def __setup_principal(self): def __setup_principal(self):
cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name
installutils.kadmin_addprinc(cifs_principal)
self.move_service(cifs_principal) api.Command.service_add(unicode(cifs_principal))
try: samba_keytab = "/etc/samba/samba.keytab"
ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal, if os.path.exists(samba_keytab):
"-k", "/etc/krb5.keytab"]) try:
except ipautil.CalledProcessError, e: ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal,
if e.returncode != 5: "-k", samba_keytab])
root_logger.critical("Failed to remove old key for %s" % cifs_principal) except ipautil.CalledProcessError, e:
root_logger.critical("Result of removing old key: %d" % e.returncode)
if e.returncode != 5:
root_logger.critical("Failed to remove old key for %s" % cifs_principal)
try: try:
ipautil.run(["ipa-getkeytab", "--server", self.fqdn, ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
"--principal", cifs_principal, "--principal", cifs_principal,
"-k", "/etc/krb5.keytab"]) "-k", samba_keytab])
except ipautil.CalledProcessError, e: except ipautil.CalledProcessError, e:
root_logger.critical("Failed to add key for %s" % cifs_principal) root_logger.critical("Failed to add key for %s" % cifs_principal)
@@ -368,7 +373,7 @@ class ADTRUSTInstance(service.Service):
try: try:
self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \ self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
self.suffix) self.suffix)
except ldap.ALREADY_EXISTS: except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
root_logger.critical("ADTRUST Service startup entry already exists.") root_logger.critical("ADTRUST Service startup entry already exists.")
pass pass