rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0052-adtrust-upgrade-fix-wrong-primary-principal-name-par.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   b5832852d7d24aa721312ac994a083e974a058dc
  2.   SOURCES
  3.   0052-adtrust-upgrade-fix-wrong-primary-principal-name-par.patch
Blob History Raw
86baa9 
From ca4e0582489a432a1f61fc75a27ef831e911f0fe Mon Sep 17 00:00:00 2001
86baa9 
From: Alexander Bokovoy <abokovoy@redhat.com>
86baa9 
Date: Thu, 27 Jun 2019 11:56:08 +0300
86baa9 
Subject: [PATCH] adtrust upgrade: fix wrong primary principal name, part 2
86baa9
86baa9 
Second part of the trust principals upgrade
86baa9
86baa9 
For existing LOCAL-FLAT$@REMOTE object, convert it to
86baa9 
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
86baa9 
so we need to modify an entry content a bit so it is better to remove
86baa9 
the old entry and create a new one instead of renaming.
86baa9
86baa9 
Resolves: https://pagure.io/freeipa/issue/7992
86baa9 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
86baa9 
---
86baa9 
 ipaserver/install/plugins/adtrust.py | 36 +++++++++++++++++++++++-----
86baa9 
 1 file changed, 30 insertions(+), 6 deletions(-)
86baa9
86baa9 
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
86baa9 
index f810522b236d8c04f4a417aac8fd3717563c358e..12596d5bfe71c16a2cb87acb755a88051676e3e5 100644
86baa9 
--- a/ipaserver/install/plugins/adtrust.py
86baa9 
+++ b/ipaserver/install/plugins/adtrust.py
86baa9 
@@ -513,16 +513,19 @@ class update_tdo_to_new_layout(Updater):
86baa9
86baa9 
         if isinstance(principals, (list, tuple)):
86baa9 
             trust_principal = principals[0]
86baa9 
-            aliases = principals[1:]
86baa9 
+            alias = principals[1]
86baa9 
         else:
86baa9 
             trust_principal = principals
86baa9 
-            aliases = []
86baa9 
+            alias = None
86baa9
86baa9 
+        entry = None
86baa9 
+        en = None
86baa9 
         try:
86baa9 
             entry = ldap.get_entry(
86baa9 
                 DN(('krbprincipalname', trust_principal), trustdn))
86baa9 
             dn = entry.dn
86baa9 
             action = ldap.update_entry
86baa9 
+            ticket_flags = int(entry.single_value.get('krbticketflags', 0))
86baa9 
             logger.debug("Updating Kerberos principal entry for %s",
86baa9 
                          trust_principal)
86baa9 
         except errors.NotFound:
86baa9 
@@ -531,6 +534,19 @@ class update_tdo_to_new_layout(Updater):
86baa9 
             if flags & self.KRB_PRINC_MUST_EXIST:
86baa9 
                 raise
86baa9
86baa9 
+            ticket_flags = 0
86baa9 
+            if alias:
86baa9 
+                try:
86baa9 
+                    en = ldap.get_entry(
86baa9 
+                        DN(('krbprincipalname', alias), trustdn))
86baa9 
+                    ldap.delete_entry(en.dn)
86baa9 
+                    ticket_flags = int(en.single_value.get(
86baa9 
+                        'krbticketflags', 0))
86baa9 
+                except errors.NotFound:
86baa9 
+                    logger.debug("Entry for alias TDO does not exist for "
86baa9 
+                                 "trusted domain object %s, skip it",
86baa9 
+                                 alias)
86baa9 
+
86baa9 
             dn = DN(('krbprincipalname', trust_principal), trustdn)
86baa9 
             entry = ldap.make_entry(dn)
86baa9 
             logger.debug("Adding Kerberos principal entry for %s",
86baa9 
@@ -545,15 +561,23 @@ class update_tdo_to_new_layout(Updater):
86baa9 
             'krbprincipalname': [trust_principal],
86baa9 
         }
86baa9
86baa9 
-        entry_data['krbprincipalname'].extend(aliases)
86baa9 
-
86baa9 
         if flags & self.KRB_PRINC_CREATE_DISABLED:
86baa9 
-            flg = int(entry.single_value.get('krbticketflags', 0))
86baa9 
-            entry_data['krbticketflags'] = flg | self.KRB_DISALLOW_ALL_TIX
86baa9 
+            entry_data['krbticketflags'] = (ticket_flags |
86baa9 
+                                            self.KRB_DISALLOW_ALL_TIX)
86baa9
86baa9 
         if flags & self.KRB_PRINC_CREATE_AGENT_PERMISSION:
86baa9 
             entry_data['objectclass'].extend(['ipaAllowedOperations'])
86baa9
86baa9 
+        if alias:
86baa9 
+            entry_data['krbprincipalname'].extend([alias])
86baa9 
+            if en:
86baa9 
+                entry_data['krbprincipalkey'] = en.single_value.get(
86baa9 
+                    'krbprincipalkey')
86baa9 
+                entry_data['krbextradata'] = en.single_value.get(
86baa9 
+                    'krbextradata')
86baa9 
+                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
86baa9 
+                    'ipaAllowedToPerform;read_keys', [])
86baa9 
+
86baa9 
         entry.update(entry_data)
86baa9 
         try:
86baa9 
             action(entry)
86baa9 
--
86baa9 
2.20.1
86baa9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation