|
 |
86baa9 |
From bb5026c5a265b78f9c889bd818ccfac9959b7d77 Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
Date: Tue, 9 Oct 2018 17:21:37 +0300
|
|
|
86baa9 |
Subject: [PATCH] adtrust: define Guests mapping after creating cifs/ principal
|
|
|
86baa9 |
|
|
|
86baa9 |
All Samba utilities load passdb modules from the configuration file. As
|
|
|
86baa9 |
result, 'net groupmap' call would try to initialize ipasam passdb module
|
|
|
86baa9 |
and that one would try to connect to LDAP using Kerberos authentication.
|
|
|
86baa9 |
|
|
|
86baa9 |
We should be running it after cifs/ principal is actually created in
|
|
|
86baa9 |
ipa-adtrust-install or otherwise setting up group mapping will fail.
|
|
|
86baa9 |
|
|
|
86baa9 |
This only affects new installations. For older ones 'net groupmap' would
|
|
|
86baa9 |
work just fine because adtrust is already configured and all principals
|
|
|
86baa9 |
exist already.
|
|
|
86baa9 |
|
|
|
86baa9 |
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
|
|
|
86baa9 |
the initial setup.
|
|
|
86baa9 |
|
|
|
86baa9 |
Related: https://pagure.io/freeipa/issue/7705
|
|
|
86baa9 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
86baa9 |
(cherry picked from commit 1ef0fe8bb824282c2f48417efda3a60e7c1bf580)
|
|
|
86baa9 |
---
|
|
|
86baa9 |
ipaserver/install/adtrustinstance.py | 4 ++--
|
|
|
86baa9 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
index d6b8f5cfa66c0cfbc6d47906703fc09c3e961a53..4141d8991cf75b60dea4ec123f0e3931bb3e6976 100644
|
|
|
86baa9 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
@@ -845,8 +845,6 @@ class ADTRUSTInstance(service.Service):
|
|
|
86baa9 |
self.__create_samba_domain_object)
|
|
|
86baa9 |
self.step("creating samba config registry", self.__write_smb_registry)
|
|
|
86baa9 |
self.step("writing samba config file", self.__write_smb_conf)
|
|
|
86baa9 |
- self.step("map BUILTIN\\Guests to nobody group",
|
|
|
86baa9 |
- self.__map_Guests_to_nobody)
|
|
|
86baa9 |
self.step("adding cifs Kerberos principal",
|
|
|
86baa9 |
self.request_service_keytab)
|
|
|
86baa9 |
self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
|
|
|
86baa9 |
@@ -858,6 +856,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
86baa9 |
self.step("updating Kerberos config", self.__update_krb5_conf)
|
|
|
86baa9 |
self.step("activating CLDAP plugin", self.__add_cldap_module)
|
|
|
86baa9 |
self.step("activating sidgen task", self.__add_sidgen_task)
|
|
|
86baa9 |
+ self.step("map BUILTIN\\Guests to nobody group",
|
|
|
86baa9 |
+ self.__map_Guests_to_nobody)
|
|
|
86baa9 |
self.step("configuring smbd to start on boot", self.__enable)
|
|
|
86baa9 |
self.step("adding special DNS service records", \
|
|
|
86baa9 |
self.__add_dns_service_records)
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|