IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 01:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
3b79deae53
freeipa/ipaserver/install
History
Alexander Bokovoy 3b79deae53 net groupmap: force using empty config when mapping Guests 
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.

If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.

Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.

Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.

For upgrade code this is enough as in
a678336b8b we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-23 16:50:43 +02:00
..
plugins Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
server Handle NTP configuration in a replica server installation 2018-10-19 11:53:32 -04:00
__init__.py Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06 15:42:33 +02:00
adtrust.py ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum 2018-08-13 12:35:06 +02:00
adtrustinstance.py net groupmap: force using empty config when mapping Guests 2018-10-23 16:50:43 +02:00
bindinstance.py Fix zonemgr encoding issue 2018-10-05 09:04:15 -04:00
ca.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
cainstance.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
certs.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
conncheck.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
custodiainstance.py Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER 2018-09-12 13:11:21 +02:00
dns.py Fix zonemgr encoding issue 2018-10-05 09:04:15 -04:00
dnskeysyncinstance.py Delay enabling services until end of installer 2018-07-06 13:26:43 +02:00
dogtag.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
dogtaginstance.py Catch ACIError instead of invalid credentials 2018-06-29 15:48:43 +02:00
dsinstance.py Remove DL0 specific code from dsinstance ipaserver/install 2018-09-12 13:11:21 +02:00
httpinstance.py httpinstance: Restore SELinux context of session_dir /etc/httpd/alias 2018-08-03 13:23:21 +02:00
installutils.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
ipa_backup.py Fix HTTPD SSL configuration for Debian. 2018-05-29 17:03:56 +02:00
ipa_cacert_manage.py Fix pylint 2.0 return-related violations 2018-07-11 10:11:38 +02:00
ipa_kra_install.py Remove DL0 specific code from ipa_kra_install in ipaserver/install 2018-09-12 13:11:21 +02:00
ipa_ldap_updater.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
ipa_otptoken_import.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_pkinit_manage.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipa_replica_install.py Remove DL0 specific code from ipa_replica_install in ipaserver/install 2018-09-12 13:11:21 +02:00
ipa_restore.py ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X 2018-08-03 13:23:21 +02:00
ipa_server_certinstall.py Fix pylint 2.0 return-related violations 2018-07-11 10:11:38 +02:00
ipa_server_install.py Improve console logging for ipa-server-install 2018-06-20 08:38:03 +02:00
ipa_server_upgrade.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipa_winsync_migrate.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
kra.py Remove DL0 specific code from kra in ipaserver/install 2018-09-12 13:11:21 +02:00
krainstance.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
krbinstance.py Remove unused promote arg in krbinstance.create_replica in ipaserver/install 2018-09-12 13:11:21 +02:00
ldapupdate.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
odsexporterinstance.py Delay enabling services until end of installer 2018-07-06 13:26:43 +02:00
opendnssecinstance.py Delay enabling services until end of installer 2018-07-06 13:26:43 +02:00
otpdinstance.py Enable pylint missing-final-newline check 2015-12-23 07:59:22 +01:00
replication.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
schemaupdate.py logging: do not use ipa_log_manager to create module-level loggers 2017-07-14 15:55:59 +02:00
service.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
sysupgrade.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
upgradeinstance.py Re-open the ldif file to prevent error message 2018-08-16 12:45:00 +02:00