diff --git a/freeipa.spec.in b/freeipa.spec.in index 14106f515..bbce24687 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1221,7 +1221,6 @@ fi # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* -%{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e8f0d572..9e539a3f3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -81,7 +81,6 @@ dist_app_DATA = \ automember.ldif \ replica-automember.ldif \ replica-s4u2proxy.ldif \ - copy-schema-to-ca.py \ sasl-mapping-fallback.ldif \ schema-update.ldif \ vault.ldif \ diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py deleted file mode 100755 index 4daed6f51..000000000 --- a/install/share/copy-schema-to-ca.py +++ /dev/null @@ -1,126 +0,0 @@ -#! /usr/bin/python2 - -"""Copy the IPA schema to the CA directory server instance - -You need to run this script to prepare a 2.2 or 3.0 IPA master for -installation of a 3.1 replica. - -Once a 3.1 replica is in the domain, every older CA master will emit schema -replication errors until this script is run on it. - -""" - -import os -import sys -import pwd -import shutil - -from hashlib import sha1 - -from ipaplatform.paths import paths -from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger, standard_logging_setup -from ipaserver.install.dsinstance import schema_dirname -from ipalib import api - -try: - # BE CAREFUL when using the constants module - you need to define all - # the constants separately because of old IPA installations - from ipaplatform.constants import constants - PKI_USER = constants.PKI_USER - DS_USER = constants.DS_USER -except ImportError: - # oh dear, this is an old IPA (3.0+) - from ipaserver.install.dsinstance import DS_USER #pylint: disable=E0611 - from ipaserver.install.cainstance import PKI_USER #pylint: disable=E0611 - -try: - from ipaplatform import services -except ImportError: - from ipapython import services # pylint: disable=no-name-in-module - -SERVERID = "PKI-IPA" -SCHEMA_FILENAMES = ( - "60kerberos.ldif", - "60samba.ldif", - "60ipaconfig.ldif", - "60basev2.ldif", - "60basev3.ldif", - "60ipadns.ldif", - "61kerberos-ipav3.ldif", - "65ipacertstore.ldif", - "65ipasudo.ldif", - "70ipaotp.ldif", - "05rfc2247.ldif", -) - - -def _sha1_file(filename): - with open(filename, 'rb') as f: - return sha1(f.read()).hexdigest() - - -def add_ca_schema(): - """Copy IPA schema files into the CA DS instance - """ - pki_pent = pwd.getpwnam(PKI_USER) - ds_pent = pwd.getpwnam(DS_USER) - for schema_fname in SCHEMA_FILENAMES: - source_fname = os.path.join(paths.USR_SHARE_IPA_DIR, schema_fname) - target_fname = os.path.join(schema_dirname(SERVERID), schema_fname) - if not os.path.exists(source_fname): - root_logger.debug('File does not exist: %s', source_fname) - continue - if os.path.exists(target_fname): - target_sha1 = _sha1_file(target_fname) - source_sha1 = _sha1_file(source_fname) - if target_sha1 != source_sha1: - target_size = os.stat(target_fname).st_size - source_size = os.stat(source_fname).st_size - root_logger.info('Target file %s exists but the content is ' - 'different', target_fname) - root_logger.info('\tTarget file: sha1: %s, size: %s B', - target_sha1, target_size) - root_logger.info('\tSource file: sha1: %s, size: %s B', - source_sha1, source_size) - if not ipautil.user_input("Do you want replace %s file?" % - target_fname, True): - continue - - else: - root_logger.info( - 'Target exists, not overwriting: %s', target_fname) - continue - try: - shutil.copyfile(source_fname, target_fname) - except IOError as e: - root_logger.warning('Could not install %s: %s', target_fname, e) - else: - root_logger.info('Installed %s', target_fname) - os.chmod(target_fname, 0o440) # read access for dirsrv user/group - os.chown(target_fname, pki_pent.pw_uid, ds_pent.pw_gid) - - -def restart_pki_ds(): - """Restart the CA DS instance to pick up schema changes - """ - root_logger.info('Restarting CA DS') - services.service('dirsrv').restart(SERVERID) - - -def main(): - if os.getegid() != 0: - sys.exit("Must be root to run this script") - standard_logging_setup(verbose=True) - - # In 3.0, restarting needs access to api.env - api.bootstrap_with_global_options(context='server', confdir=paths.ETC_IPA) - - add_ca_schema() - restart_pki_ds() - - root_logger.info('Schema updated successfully') - - -if __name__ == '__main__': - main() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 42e45411a..f0d3c2368 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1290,11 +1290,9 @@ def replica_ca_install_check(config, promote): else: root_logger.critical( 'The master CA directory server does not have necessary schema. ' - 'Please copy the following script to all CA masters and run it ' - 'on them: %s\n' + 'Please run copy-schema-to-ca.py on all CA masters.\n' 'If you are certain that this is a false positive, use ' - '--skip-schema-check.', - os.path.join(paths.USR_SHARE_IPA_DIR, 'copy-schema-to-ca.py')) + '--skip-schema-check.') exit('IPA schema missing on master CA directory server')