ac7d03
From dd4ae3da2d341a25b63936b689e53fdbc8e93f65 Mon Sep 17 00:00:00 2001
ac7d03
From: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03
Date: Mon, 20 Mar 2017 13:23:44 +0200
ac7d03
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
ac7d03
 with the configuration
ac7d03
ac7d03
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
ac7d03
own server's host name. This value is then used in multiple places,
ac7d03
including construction of cifs/host.name principal. `ipasam` module
ac7d03
always uses GSSAPI authentication when talking to LDAP, so Kerberos
ac7d03
keys must be available in the /etc/samba/samba.keytab. However, if
ac7d03
the principal was created using non-FQDN name but system reports
ac7d03
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
ac7d03
Same with FQDN principal and non-FQDN hostname.
ac7d03
ac7d03
Also host name and principal name must have the same case.
ac7d03
ac7d03
Report an error when configuring ADTrust instance with inconsistent
ac7d03
runtime hostname and configuration. This prevents errors like this:
ac7d03
ac7d03
    [20/21]: starting CIFS services
ac7d03
    ipa         : CRITICAL CIFS services failed to start
ac7d03
ac7d03
    where samba logs have this:
ac7d03
ac7d03
    [2017/03/20 06:34:27.385307,  0] ipa_sam.c:4193(bind_callback_cleanup)
ac7d03
      kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
ac7d03
    [2017/03/20 06:34:27.385476,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
ac7d03
      Connection to LDAP server failed for the 16 try!
ac7d03
ac7d03
Fixes https://pagure.io/freeipa/issue/6786
ac7d03
ac7d03
Reviewed-By: Martin Basti <mbasti@redhat.com>
ac7d03
---
ac7d03
 ipaserver/install/adtrustinstance.py | 12 ++++++++++++
ac7d03
 1 file changed, 12 insertions(+)
ac7d03
ac7d03
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
ac7d03
index 0b189854f568ea5d8c0e68077255939887ff0cc3..b4db055045823ce8ae7e3b264e1442a085f81b2d 100644
ac7d03
--- a/ipaserver/install/adtrustinstance.py
ac7d03
+++ b/ipaserver/install/adtrustinstance.py
ac7d03
@@ -27,6 +27,7 @@ import uuid
ac7d03
 import string
ac7d03
 import struct
ac7d03
 import re
ac7d03
+import socket
ac7d03
 
ac7d03
 import six
ac7d03
 
ac7d03
@@ -689,6 +690,15 @@ class ADTRUSTInstance(service.Service):
ac7d03
         except Exception as e:
ac7d03
             root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
ac7d03
 
ac7d03
+    def __validate_server_hostname(self):
ac7d03
+        hostname = socket.gethostname()
ac7d03
+        if hostname != self.fqdn:
ac7d03
+            raise ValueError("Host reports different name than configured: "
ac7d03
+                             "'%s' versus '%s'. Samba requires to have "
ac7d03
+                             "the same hostname or Kerberos principal "
ac7d03
+                             "'cifs/%s' will not be found in Samba keytab." %
ac7d03
+                             (hostname, self.fqdn, self.fqdn))
ac7d03
+
ac7d03
     def __start(self):
ac7d03
         try:
ac7d03
             self.start()
ac7d03
@@ -804,6 +814,8 @@ class ADTRUSTInstance(service.Service):
ac7d03
         api.Backend.ldap2.add_entry(entry)
ac7d03
 
ac7d03
     def create_instance(self):
ac7d03
+        self.step("validate server hostname",
ac7d03
+                  self.__validate_server_hostname)
ac7d03
         self.step("stopping smbd", self.__stop)
ac7d03
         self.step("creating samba domain object", \
ac7d03
                   self.__create_samba_domain_object)
ac7d03
-- 
ac7d03
2.12.2
ac7d03