|
|
ac7d03 |
From dd4ae3da2d341a25b63936b689e53fdbc8e93f65 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 20 Mar 2017 13:23:44 +0200
|
|
|
ac7d03 |
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
|
|
|
ac7d03 |
with the configuration
|
|
|
ac7d03 |
|
|
|
ac7d03 |
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
|
|
|
ac7d03 |
own server's host name. This value is then used in multiple places,
|
|
|
ac7d03 |
including construction of cifs/host.name principal. `ipasam` module
|
|
|
ac7d03 |
always uses GSSAPI authentication when talking to LDAP, so Kerberos
|
|
|
ac7d03 |
keys must be available in the /etc/samba/samba.keytab. However, if
|
|
|
ac7d03 |
the principal was created using non-FQDN name but system reports
|
|
|
ac7d03 |
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
|
|
|
ac7d03 |
Same with FQDN principal and non-FQDN hostname.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Also host name and principal name must have the same case.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Report an error when configuring ADTrust instance with inconsistent
|
|
|
ac7d03 |
runtime hostname and configuration. This prevents errors like this:
|
|
|
ac7d03 |
|
|
|
ac7d03 |
[20/21]: starting CIFS services
|
|
|
ac7d03 |
ipa : CRITICAL CIFS services failed to start
|
|
|
ac7d03 |
|
|
|
ac7d03 |
where samba logs have this:
|
|
|
ac7d03 |
|
|
|
ac7d03 |
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
|
|
|
ac7d03 |
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
|
|
|
ac7d03 |
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
|
|
|
ac7d03 |
Connection to LDAP server failed for the 16 try!
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Fixes https://pagure.io/freeipa/issue/6786
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/adtrustinstance.py | 12 ++++++++++++
|
|
|
ac7d03 |
1 file changed, 12 insertions(+)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
ac7d03 |
index 0b189854f568ea5d8c0e68077255939887ff0cc3..b4db055045823ce8ae7e3b264e1442a085f81b2d 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
ac7d03 |
@@ -27,6 +27,7 @@ import uuid
|
|
|
ac7d03 |
import string
|
|
|
ac7d03 |
import struct
|
|
|
ac7d03 |
import re
|
|
|
ac7d03 |
+import socket
|
|
|
ac7d03 |
|
|
|
ac7d03 |
import six
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -689,6 +690,15 @@ class ADTRUSTInstance(service.Service):
|
|
|
ac7d03 |
except Exception as e:
|
|
|
ac7d03 |
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def __validate_server_hostname(self):
|
|
|
ac7d03 |
+ hostname = socket.gethostname()
|
|
|
ac7d03 |
+ if hostname != self.fqdn:
|
|
|
ac7d03 |
+ raise ValueError("Host reports different name than configured: "
|
|
|
ac7d03 |
+ "'%s' versus '%s'. Samba requires to have "
|
|
|
ac7d03 |
+ "the same hostname or Kerberos principal "
|
|
|
ac7d03 |
+ "'cifs/%s' will not be found in Samba keytab." %
|
|
|
ac7d03 |
+ (hostname, self.fqdn, self.fqdn))
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __start(self):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
self.start()
|
|
|
ac7d03 |
@@ -804,6 +814,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
ac7d03 |
api.Backend.ldap2.add_entry(entry)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def create_instance(self):
|
|
|
ac7d03 |
+ self.step("validate server hostname",
|
|
|
ac7d03 |
+ self.__validate_server_hostname)
|
|
|
ac7d03 |
self.step("stopping smbd", self.__stop)
|
|
|
ac7d03 |
self.step("creating samba domain object", \
|
|
|
ac7d03 |
self.__create_samba_domain_object)
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|