areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0130-install-create-kdcproxy-user-during-server-install.patch

590d18
From 99989ab3a9017ea9defc80c5a7047c119c29ff34 Mon Sep 17 00:00:00 2001
590d18
From: Jan Cholasta <jcholast@redhat.com>
590d18
Date: Mon, 21 Sep 2015 10:09:50 +0200
590d18
Subject: [PATCH] install: create kdcproxy user during server install
590d18
590d18
This change makes kdcproxy user creation consistent with DS and CA user
590d18
creation. Before, the user was created in the spec file, in %pre scriptlet
590d18
of freeipa-server.
590d18
590d18
https://fedorahosted.org/freeipa/ticket/5314
590d18
590d18
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
590d18
---
590d18
 freeipa.spec.in                     | 11 -----------
590d18
 ipaserver/install/httpinstance.py   | 14 ++++++++++++++
590d18
 ipaserver/install/ipa_restore.py    |  4 +++-
590d18
 ipaserver/install/server/upgrade.py |  1 +
590d18
 4 files changed, 18 insertions(+), 12 deletions(-)
590d18
590d18
diff --git a/freeipa.spec.in b/freeipa.spec.in
590d18
index a8515487757556f337a4bbfc1cc14e8fb4707ccd..530f6141872804ab3801f2da6271fce0d9308a09 100644
590d18
--- a/freeipa.spec.in
590d18
+++ b/freeipa.spec.in
590d18
@@ -24,10 +24,6 @@
590d18
 
590d18
 %define _hardened_build 1
590d18
 
590d18
-%define kdcproxy_user kdcproxy
590d18
-%define kdcproxy_group kdcproxy
590d18
-%define kdcproxy_home %{_sharedstatedir}/kdcproxy
590d18
-
590d18
 Name:           freeipa
590d18
 Version:        __VERSION__
590d18
 Release:        __RELEASE__%{?dist}
590d18
@@ -568,13 +564,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
590d18
 # END
590d18
 fi
590d18
 
590d18
-# create kdcproxy user
590d18
-getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
590d18
-getent passwd %{kdcproxy_user} >/dev/null || \
590d18
-    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \
590d18
-    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
590d18
-exit 0
590d18
-
590d18
 %postun server-trust-ad
590d18
 if [ "$1" -ge "1" ]; then
590d18
     if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
590d18
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
590d18
index 792825621f68844a2b0b1265eeeb37e4247d66f8..4f2902e1b1ac03d9c6bd1949b66ede9abb5be28e 100644
590d18
--- a/ipaserver/install/httpinstance.py
590d18
+++ b/ipaserver/install/httpinstance.py
590d18
@@ -49,6 +49,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
590d18
     httpd_run_ipa='on',
590d18
 )
590d18
 
590d18
+KDCPROXY_USER = 'kdcproxy'
590d18
+
590d18
 
590d18
 def httpd_443_configured():
590d18
     """
590d18
@@ -75,6 +77,17 @@ def httpd_443_configured():
590d18
 
590d18
     return False
590d18
 
590d18
+
590d18
+def create_kdcproxy_user():
590d18
+    """Create KDC proxy user/group if it doesn't exist yet."""
590d18
+    tasks.create_system_user(
590d18
+        name=KDCPROXY_USER,
590d18
+        group=KDCPROXY_USER,
590d18
+        homedir=paths.VAR_LIB,
590d18
+        shell=paths.NOLOGIN,
590d18
+    )
590d18
+
590d18
+
590d18
 class WebGuiInstance(service.SimpleServiceInstance):
590d18
     def __init__(self):
590d18
         service.SimpleServiceInstance.__init__(self, "ipa_webgui")
590d18
@@ -139,6 +152,7 @@ class HTTPInstance(service.Service):
590d18
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
590d18
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
590d18
         if not self.is_kdcproxy_configured():
590d18
+            self.step("create KDC proxy user", create_kdcproxy_user)
590d18
             self.step("create KDC proxy config", self.create_kdcproxy_conf)
590d18
             self.step("enable KDC proxy", self.enable_kdcproxy)
590d18
         self.step("restarting httpd", self.__start)
590d18
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
590d18
index dc57a4937365ad1db960955cf21e1bf2d2eb3dda..57d5deb1e68af6e9ceb51f4dd751b8a59d9ac513 100644
590d18
--- a/ipaserver/install/ipa_restore.py
590d18
+++ b/ipaserver/install/ipa_restore.py
590d18
@@ -370,6 +370,7 @@ class Restore(admintool.AdminTool):
590d18
 
590d18
                 self.restore_selinux_booleans()
590d18
 
590d18
+            http = httpinstance.HTTPInstance()
590d18
 
590d18
             # We do either a full file restore or we restore data.
590d18
             if restore_type == 'FULL':
590d18
@@ -381,6 +382,8 @@ class Restore(admintool.AdminTool):
590d18
                 self.cert_restore()
590d18
                 if 'CA' in self.backup_services:
590d18
                     self.__create_dogtag_log_dirs()
590d18
+                if http.is_kdcproxy_configured():
590d18
+                    httpinstance.create_kdcproxy_user()
590d18
 
590d18
             # Always restore the data from ldif
590d18
             # If we are restoring PKI-IPA then we need to restore the
590d18
@@ -409,7 +412,6 @@ class Restore(admintool.AdminTool):
590d18
                 self.log.info('Restarting SSSD')
590d18
                 sssd = services.service('sssd')
590d18
                 sssd.restart()
590d18
-                http = httpinstance.HTTPInstance()
590d18
                 http.remove_httpd_ccache()
590d18
         finally:
590d18
             try:
590d18
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
590d18
index 5288f8fcc5fb56b13773e3bb8ea6a5a6c8c0e8a9..0194f75477321a9e1660335ac8283d35aff8a0ec 100644
590d18
--- a/ipaserver/install/server/upgrade.py
590d18
+++ b/ipaserver/install/server/upgrade.py
590d18
@@ -1439,6 +1439,7 @@ def upgrade_configuration():
590d18
             http.realm = api.env.realm
590d18
             http.suffix = ipautil.realm_to_suffix(api.env.realm)
590d18
             http.ldap_connect()
590d18
+        httpinstance.create_kdcproxy_user()
590d18
         http.create_kdcproxy_conf()
590d18
         http.enable_kdcproxy()
590d18
 
590d18
-- 
590d18
2.4.3
590d18