|
 |
483b06 |
From 2bd0e49b7a7ba98a8ee6872cc7c3e619578c4431 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
483b06 |
Date: Wed, 5 Apr 2017 17:29:26 +0200
|
|
|
483b06 |
Subject: [PATCH] Stop requesting anonymous keytab and purge all references of
|
|
|
483b06 |
it
|
|
|
483b06 |
|
|
|
483b06 |
anonymous kinit using keytab never worked so we may safely remove all
|
|
|
483b06 |
code that requests/uses it.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6830
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
483b06 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
483b06 |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaplatform/base/paths.py | 1 -
|
|
|
483b06 |
ipaserver/install/httpinstance.py | 17 -----------------
|
|
|
483b06 |
ipaserver/install/ipa_backup.py | 1 -
|
|
|
483b06 |
ipaserver/install/server/upgrade.py | 1 -
|
|
|
483b06 |
4 files changed, 20 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
|
483b06 |
index dbdd71ed0b4d69c1101db4aeb7d93152ab8aa730..f80c9e95ab875222887e3692ab80151f84345469 100644
|
|
|
483b06 |
--- a/ipaplatform/base/paths.py
|
|
|
483b06 |
+++ b/ipaplatform/base/paths.py
|
|
|
483b06 |
@@ -50,7 +50,6 @@ class BasePathNamespace(object):
|
|
|
483b06 |
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
|
|
|
483b06 |
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
|
|
|
483b06 |
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
|
|
|
483b06 |
- ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
|
|
|
483b06 |
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
|
|
|
483b06 |
IDMAPD_CONF = "/etc/idmapd.conf"
|
|
|
483b06 |
ETC_IPA = "/etc/ipa"
|
|
|
483b06 |
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
|
483b06 |
index f0a477e0bf16b03ed8b937279dad88e6e2b3aab6..7898c53bc02785e2750dba61a5696f079355c9d7 100644
|
|
|
483b06 |
--- a/ipaserver/install/httpinstance.py
|
|
|
483b06 |
+++ b/ipaserver/install/httpinstance.py
|
|
|
483b06 |
@@ -30,7 +30,6 @@ import locale
|
|
|
483b06 |
|
|
|
483b06 |
import six
|
|
|
483b06 |
|
|
|
483b06 |
-from ipalib.constants import IPAAPI_USER
|
|
|
483b06 |
from ipalib.install import certmonger
|
|
|
483b06 |
from ipaserver.install import service
|
|
|
483b06 |
from ipaserver.install import certs
|
|
|
483b06 |
@@ -42,7 +41,6 @@ from ipapython.ipa_log_manager import root_logger
|
|
|
483b06 |
import ipapython.errors
|
|
|
483b06 |
from ipaserver.install import sysupgrade
|
|
|
483b06 |
from ipalib import api
|
|
|
483b06 |
-from ipalib.constants import ANON_USER
|
|
|
483b06 |
from ipaplatform.constants import constants
|
|
|
483b06 |
from ipaplatform.tasks import tasks
|
|
|
483b06 |
from ipaplatform.paths import paths
|
|
|
483b06 |
@@ -158,7 +156,6 @@ class HTTPInstance(service.Service):
|
|
|
483b06 |
self.step("adding URL rewriting rules", self.__add_include)
|
|
|
483b06 |
self.step("configuring httpd", self.__configure_http)
|
|
|
483b06 |
self.step("setting up httpd keytab", self.request_service_keytab)
|
|
|
483b06 |
- self.step("retrieving anonymous keytab", self.request_anon_keytab)
|
|
|
483b06 |
self.step("configuring Gssproxy", self.configure_gssproxy)
|
|
|
483b06 |
self.step("setting up ssl", self.__setup_ssl)
|
|
|
483b06 |
if self.ca_is_configured:
|
|
|
483b06 |
@@ -304,20 +301,6 @@ class HTTPInstance(service.Service):
|
|
|
483b06 |
if certmonger_stopped:
|
|
|
483b06 |
certmonger.stop()
|
|
|
483b06 |
|
|
|
483b06 |
- def request_anon_keytab(self):
|
|
|
483b06 |
- parent = os.path.dirname(paths.ANON_KEYTAB)
|
|
|
483b06 |
- if not os.path.exists(parent):
|
|
|
483b06 |
- os.makedirs(parent, 0o755)
|
|
|
483b06 |
-
|
|
|
483b06 |
- self.clean_previous_keytab(keytab=paths.ANON_KEYTAB)
|
|
|
483b06 |
- self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER)
|
|
|
483b06 |
-
|
|
|
483b06 |
- pent = pwd.getpwnam(IPAAPI_USER)
|
|
|
483b06 |
- os.chmod(parent, 0o700)
|
|
|
483b06 |
- os.chown(parent, pent.pw_uid, pent.pw_gid)
|
|
|
483b06 |
-
|
|
|
483b06 |
- self.set_keytab_owner(keytab=paths.ANON_KEYTAB, owner=IPAAPI_USER)
|
|
|
483b06 |
-
|
|
|
483b06 |
def create_password_conf(self):
|
|
|
483b06 |
"""
|
|
|
483b06 |
This is the format of mod_nss pin files.
|
|
|
483b06 |
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
|
|
|
483b06 |
index f71a40bb06545c8d89d1e3fdbc37d5e6e1fe8d58..40f08d7d727a8b97b5996f15d27c1e20788e1473 100644
|
|
|
483b06 |
--- a/ipaserver/install/ipa_backup.py
|
|
|
483b06 |
+++ b/ipaserver/install/ipa_backup.py
|
|
|
483b06 |
@@ -120,7 +120,6 @@ class Backup(admintool.AdminTool):
|
|
|
483b06 |
)
|
|
|
483b06 |
|
|
|
483b06 |
files = (
|
|
|
483b06 |
- paths.ANON_KEYTAB,
|
|
|
483b06 |
paths.NAMED_CONF,
|
|
|
483b06 |
paths.NAMED_KEYTAB,
|
|
|
483b06 |
paths.RESOLV_CONF,
|
|
|
483b06 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
483b06 |
index 927acb011172de926773196eb1d032af8376f3d9..ea2918f5037898b6b8dc601441a439b6150d54e5 100644
|
|
|
483b06 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
483b06 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
483b06 |
@@ -1795,7 +1795,6 @@ def upgrade_configuration():
|
|
|
483b06 |
KDC_KEY=paths.KDC_KEY,
|
|
|
483b06 |
CACERT_PEM=paths.CACERT_PEM)
|
|
|
483b06 |
krb.add_anonymous_principal()
|
|
|
483b06 |
- http.request_anon_keytab()
|
|
|
483b06 |
setup_pkinit(krb)
|
|
|
483b06 |
|
|
|
483b06 |
if not ds_running:
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|