|
 |
ac7d03 |
From 6602dffc7ab8e9bdc7fefd02f9ed11e5575f5f7b Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 22 Mar 2017 16:41:59 +0100
|
|
|
ac7d03 |
Subject: [PATCH] Always check and create anonymous principal during KDC
|
|
|
ac7d03 |
install
|
|
|
ac7d03 |
|
|
|
ac7d03 |
The anonymous principal will now be checked for presence and created on
|
|
|
ac7d03 |
both server and replica install. This fixes errors caused during replica
|
|
|
ac7d03 |
installation against older master that do not have anonymous principal
|
|
|
ac7d03 |
present.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6799
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/krbinstance.py | 17 +++++++++++++----
|
|
|
ac7d03 |
1 file changed, 13 insertions(+), 4 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
index 5f4b5282f54234c15b1a8d8273eff69e134e665b..6c105f74c8da2bfd34ace607b13170bc96a8ff1d 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
@@ -33,7 +33,7 @@ from ipaserver.install import installutils
|
|
|
ac7d03 |
from ipapython import ipaldap
|
|
|
ac7d03 |
from ipapython import ipautil
|
|
|
ac7d03 |
from ipapython import kernel_keyring
|
|
|
ac7d03 |
-from ipalib import api
|
|
|
ac7d03 |
+from ipalib import api, errors
|
|
|
ac7d03 |
from ipalib.constants import ANON_USER
|
|
|
ac7d03 |
from ipalib.install import certmonger
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
@@ -142,6 +142,7 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
pass
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def __common_post_setup(self):
|
|
|
ac7d03 |
+ self.step("creating anonymous principal", self.add_anonymous_principal)
|
|
|
ac7d03 |
self.step("starting the KDC", self.__start_instance)
|
|
|
ac7d03 |
self.step("configuring KDC to start on boot", self.__enable)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -160,7 +161,6 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
self.step("creating a keytab for the directory", self.__create_ds_keytab)
|
|
|
ac7d03 |
self.step("creating a keytab for the machine", self.__create_host_keytab)
|
|
|
ac7d03 |
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
|
|
|
ac7d03 |
- self.step("creating anonymous principal", self.add_anonymous_principal)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.__common_post_setup()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -432,8 +432,17 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
def add_anonymous_principal(self):
|
|
|
ac7d03 |
# Create the special anonymous principal
|
|
|
ac7d03 |
princ_realm = self.get_anonymous_principal_name()
|
|
|
ac7d03 |
- installutils.kadmin_addprinc(princ_realm)
|
|
|
ac7d03 |
- self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
|
|
|
ac7d03 |
+ dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ self.api.Backend.ldap2.get_entry(dn)
|
|
|
ac7d03 |
+ except errors.NotFound:
|
|
|
ac7d03 |
+ installutils.kadmin_addprinc(princ_realm)
|
|
|
ac7d03 |
+ self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ self.api.Backend.ldap2.set_entry_active(dn, True)
|
|
|
ac7d03 |
+ except errors.AlreadyActive:
|
|
|
ac7d03 |
+ pass
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def __convert_to_gssapi_replication(self):
|
|
|
ac7d03 |
repl = replication.ReplicationManager(self.realm,
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|