|
|
6d47df |
From 1ef0fe8bb824282c2f48417efda3a60e7c1bf580 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
Date: Tue, 9 Oct 2018 17:21:37 +0300
|
|
|
6d47df |
Subject: [PATCH] adtrust: define Guests mapping after creating cifs/ principal
|
|
|
6d47df |
|
|
|
6d47df |
All Samba utilities load passdb modules from the configuration file. As
|
|
|
6d47df |
result, 'net groupmap' call would try to initialize ipasam passdb module
|
|
|
6d47df |
and that one would try to connect to LDAP using Kerberos authentication.
|
|
|
6d47df |
|
|
|
6d47df |
We should be running it after cifs/ principal is actually created in
|
|
|
6d47df |
ipa-adtrust-install or otherwise setting up group mapping will fail.
|
|
|
6d47df |
|
|
|
6d47df |
This only affects new installations. For older ones 'net groupmap' would
|
|
|
6d47df |
work just fine because adtrust is already configured and all principals
|
|
|
6d47df |
exist already.
|
|
|
6d47df |
|
|
|
6d47df |
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
|
|
|
6d47df |
the initial setup.
|
|
|
6d47df |
|
|
|
6d47df |
Related: https://pagure.io/freeipa/issue/7705
|
|
|
6d47df |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
ipaserver/install/adtrustinstance.py | 4 ++--
|
|
|
6d47df |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
6d47df |
index 46c4ad663..da16748cf 100644
|
|
|
6d47df |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
6d47df |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
6d47df |
@@ -837,8 +837,6 @@ class ADTRUSTInstance(service.Service):
|
|
|
6d47df |
self.__create_samba_domain_object)
|
|
|
6d47df |
self.step("creating samba config registry", self.__write_smb_registry)
|
|
|
6d47df |
self.step("writing samba config file", self.__write_smb_conf)
|
|
|
6d47df |
- self.step("map BUILTIN\\Guests to nobody group",
|
|
|
6d47df |
- self.__map_Guests_to_nobody)
|
|
|
6d47df |
self.step("adding cifs Kerberos principal",
|
|
|
6d47df |
self.request_service_keytab)
|
|
|
6d47df |
self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
|
|
|
6d47df |
@@ -850,6 +848,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
6d47df |
self.step("updating Kerberos config", self.__update_krb5_conf)
|
|
|
6d47df |
self.step("activating CLDAP plugin", self.__add_cldap_module)
|
|
|
6d47df |
self.step("activating sidgen task", self.__add_sidgen_task)
|
|
|
6d47df |
+ self.step("map BUILTIN\\Guests to nobody group",
|
|
|
6d47df |
+ self.__map_Guests_to_nobody)
|
|
|
6d47df |
self.step("configuring smbd to start on boot", self.__enable)
|
|
|
6d47df |
self.step("adding special DNS service records", \
|
|
|
6d47df |
self.__add_dns_service_records)
|
|
|
6d47df |
--
|
|
|
6d47df |
2.17.1
|
|
|
6d47df |
|