590d18
From cc4f00b7fcbd01dcdfd920feda39cdd0344e7cd7 Mon Sep 17 00:00:00 2001
590d18
From: Alexander Bokovoy <abokovoy@redhat.com>
590d18
Date: Thu, 16 Jul 2015 14:11:26 +0300
590d18
Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not
590d18
 exist
590d18
590d18
If sssd user does not exist, it means SSSD does not run as sssd user.
590d18
590d18
Currently SSSD has too tight check for keytab permissions and ownership.
590d18
It assumes the keytab has to be owned by the same user it runs under
590d18
and has to have 0600 permissions. ipa-getkeytab creates the file with
590d18
right permissions and 'root:root' ownership.
590d18
590d18
Jakub Hrozek promised to enhance SSSD keytab permissions check so that
590d18
both sssd:sssd and root:root ownership is possible and then when SSSD
590d18
switches to 'sssd' user, the former becomes the default. Since right now
590d18
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
590d18
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
590d18
version trigger.
590d18
590d18
https://fedorahosted.org/freeipa/ticket/5136
590d18
590d18
Reviewed-By: Tomas Babej <tbabej@redhat.com>
590d18
---
590d18
 install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++++++--
590d18
 1 file changed, 7 insertions(+), 2 deletions(-)
590d18
590d18
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
590d18
index 85e3cc993b28f983f7e7ae068d9f9f135bab876e..e50c81e50e73b258bf08737c2d9a13a8832eb69f 100755
590d18
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
590d18
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
590d18
@@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
590d18
                                             env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
590d18
                                             raiseonerr=False)
590d18
     # Make sure SSSD is able to read the keytab
590d18
-    sssd = pwd.getpwnam('sssd')
590d18
-    os.chown(oneway_keytab_name, sssd[2], sssd[3])
590d18
+    try:
590d18
+        sssd = pwd.getpwnam('sssd')
590d18
+        os.chown(oneway_keytab_name, sssd[2], sssd[3])
590d18
+    except KeyError as e:
590d18
+        # If user 'sssd' does not exist, we don't need to chown from root to sssd
590d18
+        # because it means SSSD does not run as sssd user
590d18
+        pass
590d18
 
590d18
 
590d18
 def parse_options():
590d18
-- 
590d18
2.4.3
590d18