6d47df
From 1ef0fe8bb824282c2f48417efda3a60e7c1bf580 Mon Sep 17 00:00:00 2001
6d47df
From: Alexander Bokovoy <abokovoy@redhat.com>
6d47df
Date: Tue, 9 Oct 2018 17:21:37 +0300
6d47df
Subject: [PATCH] adtrust: define Guests mapping after creating cifs/ principal
6d47df
6d47df
All Samba utilities load passdb modules from the configuration file. As
6d47df
result, 'net groupmap' call would try to initialize ipasam passdb module
6d47df
and that one would try to connect to LDAP using Kerberos authentication.
6d47df
6d47df
We should be running it after cifs/ principal is actually created in
6d47df
ipa-adtrust-install or otherwise setting up group mapping will fail.
6d47df
6d47df
This only affects new installations. For older ones 'net groupmap' would
6d47df
work just fine because adtrust is already configured and all principals
6d47df
exist already.
6d47df
6d47df
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
6d47df
the initial setup.
6d47df
6d47df
Related: https://pagure.io/freeipa/issue/7705
6d47df
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
6d47df
---
6d47df
 ipaserver/install/adtrustinstance.py | 4 ++--
6d47df
 1 file changed, 2 insertions(+), 2 deletions(-)
6d47df
6d47df
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
6d47df
index 46c4ad663..da16748cf 100644
6d47df
--- a/ipaserver/install/adtrustinstance.py
6d47df
+++ b/ipaserver/install/adtrustinstance.py
6d47df
@@ -837,8 +837,6 @@ class ADTRUSTInstance(service.Service):
6d47df
                   self.__create_samba_domain_object)
6d47df
         self.step("creating samba config registry", self.__write_smb_registry)
6d47df
         self.step("writing samba config file", self.__write_smb_conf)
6d47df
-        self.step("map BUILTIN\\Guests to nobody group",
6d47df
-                  self.__map_Guests_to_nobody)
6d47df
         self.step("adding cifs Kerberos principal",
6d47df
                   self.request_service_keytab)
6d47df
         self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
6d47df
@@ -850,6 +848,8 @@ class ADTRUSTInstance(service.Service):
6d47df
         self.step("updating Kerberos config", self.__update_krb5_conf)
6d47df
         self.step("activating CLDAP plugin", self.__add_cldap_module)
6d47df
         self.step("activating sidgen task", self.__add_sidgen_task)
6d47df
+        self.step("map BUILTIN\\Guests to nobody group",
6d47df
+                  self.__map_Guests_to_nobody)
6d47df
         self.step("configuring smbd to start on boot", self.__enable)
6d47df
         self.step("adding special DNS service records", \
6d47df
                   self.__add_dns_service_records)
6d47df
-- 
6d47df
2.17.1
6d47df