|
 |
590d18 |
From cc4f00b7fcbd01dcdfd920feda39cdd0344e7cd7 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
590d18 |
Date: Thu, 16 Jul 2015 14:11:26 +0300
|
|
|
590d18 |
Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not
|
|
|
590d18 |
exist
|
|
|
590d18 |
|
|
|
590d18 |
If sssd user does not exist, it means SSSD does not run as sssd user.
|
|
|
590d18 |
|
|
|
590d18 |
Currently SSSD has too tight check for keytab permissions and ownership.
|
|
|
590d18 |
It assumes the keytab has to be owned by the same user it runs under
|
|
|
590d18 |
and has to have 0600 permissions. ipa-getkeytab creates the file with
|
|
|
590d18 |
right permissions and 'root:root' ownership.
|
|
|
590d18 |
|
|
|
590d18 |
Jakub Hrozek promised to enhance SSSD keytab permissions check so that
|
|
|
590d18 |
both sssd:sssd and root:root ownership is possible and then when SSSD
|
|
|
590d18 |
switches to 'sssd' user, the former becomes the default. Since right now
|
|
|
590d18 |
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
|
|
|
590d18 |
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
|
|
|
590d18 |
version trigger.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5136
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++++++--
|
|
|
590d18 |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
590d18 |
index 85e3cc993b28f983f7e7ae068d9f9f135bab876e..e50c81e50e73b258bf08737c2d9a13a8832eb69f 100755
|
|
|
590d18 |
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
590d18 |
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
590d18 |
@@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
|
|
|
590d18 |
env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
|
|
|
590d18 |
raiseonerr=False)
|
|
|
590d18 |
# Make sure SSSD is able to read the keytab
|
|
|
590d18 |
- sssd = pwd.getpwnam('sssd')
|
|
|
590d18 |
- os.chown(oneway_keytab_name, sssd[2], sssd[3])
|
|
|
590d18 |
+ try:
|
|
|
590d18 |
+ sssd = pwd.getpwnam('sssd')
|
|
|
590d18 |
+ os.chown(oneway_keytab_name, sssd[2], sssd[3])
|
|
|
590d18 |
+ except KeyError as e:
|
|
|
590d18 |
+ # If user 'sssd' does not exist, we don't need to chown from root to sssd
|
|
|
590d18 |
+ # because it means SSSD does not run as sssd user
|
|
|
590d18 |
+ pass
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
def parse_options():
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|