|
 |
b01884 |
From 7f8858f8632d77497765bab79922f1762ce46d50 Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
b01884 |
Date: Tue, 16 Oct 2018 17:54:09 +0300
|
|
|
b01884 |
Subject: [PATCH] net groupmap: force using empty config when mapping Guests
|
|
|
b01884 |
|
|
|
b01884 |
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
|
|
|
b01884 |
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
|
|
|
b01884 |
is now configured to use ipasam passdb module. We authenticate to LDAP
|
|
|
b01884 |
with GSSAPI in ipasam passdb module initialization.
|
|
|
b01884 |
|
|
|
b01884 |
If GSSAPI authentication failed (KDC is offline, for example, during
|
|
|
b01884 |
server upgrade), 'net groupmap add' crashes after ~10 attempts to
|
|
|
b01884 |
re-authenticate. This is intended behavior in smbd/winbindd as they
|
|
|
b01884 |
cannot work anymore. However, for the command line tools there are
|
|
|
b01884 |
plenty of operations where passdb module is not needed.
|
|
|
b01884 |
|
|
|
b01884 |
Additionally, GSSAPI authentication uses the default ccache in the
|
|
|
b01884 |
environment and a key from /etc/samba/samba.keytab keytab. This means
|
|
|
b01884 |
that if you'd run 'net *' as root, it will replace whatever Kerberos
|
|
|
b01884 |
tickets you have with a TGT for cifs/`hostname` and a service ticket to
|
|
|
b01884 |
ldap/`hostname` of IPA master.
|
|
|
b01884 |
|
|
|
b01884 |
Apply a simple solution to avoid using /etc/samba/smb.conf when we
|
|
|
b01884 |
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
|
|
|
b01884 |
call.
|
|
|
b01884 |
|
|
|
b01884 |
For upgrade code this is enough as in
|
|
|
b01884 |
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
|
|
|
b01884 |
credentials cache during upgrade to prevent tripping on individual
|
|
|
b01884 |
ccaches from KEYRING: or KCM: cache collections.
|
|
|
b01884 |
|
|
|
b01884 |
Related: https://pagure.io/freeipa/issue/7705
|
|
|
b01884 |
(cherry picked from commit e48f5a4d64d95c4c5cb5f8ede39cae5c7c1e512c)
|
|
|
b01884 |
---
|
|
|
b01884 |
ipaserver/install/adtrustinstance.py | 4 ++--
|
|
|
b01884 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
b01884 |
index da16748cf..3a751ccb2 100644
|
|
|
b01884 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
b01884 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
b01884 |
@@ -114,8 +114,8 @@ def make_netbios_name(s):
|
|
|
b01884 |
|
|
|
b01884 |
def map_Guests_to_nobody():
|
|
|
b01884 |
env = {'LC_ALL': 'C'}
|
|
|
b01884 |
- args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546',
|
|
|
b01884 |
- 'unixgroup=nobody', 'type=builtin']
|
|
|
b01884 |
+ args = [paths.NET, '-s', '/dev/null', 'groupmap', 'add',
|
|
|
b01884 |
+ 'sid=S-1-5-32-546', 'unixgroup=nobody', 'type=builtin']
|
|
|
b01884 |
|
|
|
b01884 |
logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
|
|
|
b01884 |
ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
|
|
|
b01884 |
--
|
|
|
b01884 |
2.17.2
|
|
|
b01884 |
|