From 99989ab3a9017ea9defc80c5a7047c119c29ff34 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Mon, 21 Sep 2015 10:09:50 +0200

Subject: [PATCH] install: create kdcproxy user during server install

This change makes kdcproxy user creation consistent with DS and CA user

creation. Before, the user was created in the spec file, in %pre scriptlet

of freeipa-server.

https://fedorahosted.org/freeipa/ticket/5314

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 freeipa.spec.in                     | 11 -----------

 ipaserver/install/httpinstance.py   | 14 ++++++++++++++

 ipaserver/install/ipa_restore.py    |  4 +++-

 ipaserver/install/server/upgrade.py |  1 +

 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in

index a8515487757556f337a4bbfc1cc14e8fb4707ccd..530f6141872804ab3801f2da6271fce0d9308a09 100644

--- a/freeipa.spec.in

+++ b/freeipa.spec.in

@@ -24,10 +24,6 @@

 %define _hardened_build 1

-%define kdcproxy_user kdcproxy

-%define kdcproxy_group kdcproxy

-%define kdcproxy_home %{_sharedstatedir}/kdcproxy

-

 Name:           freeipa

 Version:        __VERSION__

 Release:        __RELEASE__%{?dist}

@@ -568,13 +564,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then

 # END

 fi

-# create kdcproxy user

-getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}

-getent passwd %{kdcproxy_user} >/dev/null || \

-    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \

-    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}

-exit 0

-

 %postun server-trust-ad

 if [ "$1" -ge "1" ]; then

     if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py

index 792825621f68844a2b0b1265eeeb37e4247d66f8..4f2902e1b1ac03d9c6bd1949b66ede9abb5be28e 100644

--- a/ipaserver/install/httpinstance.py

+++ b/ipaserver/install/httpinstance.py

@@ -49,6 +49,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(

     httpd_run_ipa='on',

 )

+KDCPROXY_USER = 'kdcproxy'

+

 def httpd_443_configured():

     """

@@ -75,6 +77,17 @@ def httpd_443_configured():

     return False

+

+def create_kdcproxy_user():

+    """Create KDC proxy user/group if it doesn't exist yet."""

+    tasks.create_system_user(

+        name=KDCPROXY_USER,

+        group=KDCPROXY_USER,

+        homedir=paths.VAR_LIB,

+        shell=paths.NOLOGIN,

+    )

+

+

 class WebGuiInstance(service.SimpleServiceInstance):

     def __init__(self):

         service.SimpleServiceInstance.__init__(self, "ipa_webgui")

@@ -139,6 +152,7 @@ class HTTPInstance(service.Service):

         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)

         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)

         if not self.is_kdcproxy_configured():

+            self.step("create KDC proxy user", create_kdcproxy_user)

             self.step("create KDC proxy config", self.create_kdcproxy_conf)

             self.step("enable KDC proxy", self.enable_kdcproxy)

         self.step("restarting httpd", self.__start)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py

index dc57a4937365ad1db960955cf21e1bf2d2eb3dda..57d5deb1e68af6e9ceb51f4dd751b8a59d9ac513 100644

--- a/ipaserver/install/ipa_restore.py

+++ b/ipaserver/install/ipa_restore.py

@@ -370,6 +370,7 @@ class Restore(admintool.AdminTool):

                 self.restore_selinux_booleans()

+            http = httpinstance.HTTPInstance()

             # We do either a full file restore or we restore data.

             if restore_type == 'FULL':

@@ -381,6 +382,8 @@ class Restore(admintool.AdminTool):

                 self.cert_restore()

                 if 'CA' in self.backup_services:

                     self.__create_dogtag_log_dirs()

+                if http.is_kdcproxy_configured():

+                    httpinstance.create_kdcproxy_user()

             # Always restore the data from ldif

             # If we are restoring PKI-IPA then we need to restore the

@@ -409,7 +412,6 @@ class Restore(admintool.AdminTool):

                 self.log.info('Restarting SSSD')

                 sssd = services.service('sssd')

                 sssd.restart()

-                http = httpinstance.HTTPInstance()

                 http.remove_httpd_ccache()

         finally:

             try:

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 5288f8fcc5fb56b13773e3bb8ea6a5a6c8c0e8a9..0194f75477321a9e1660335ac8283d35aff8a0ec 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1439,6 +1439,7 @@ def upgrade_configuration():

             http.realm = api.env.realm

             http.suffix = ipautil.realm_to_suffix(api.env.realm)

             http.ldap_connect()

+        httpinstance.create_kdcproxy_user()

         http.create_kdcproxy_conf()

         http.enable_kdcproxy()

-- 

2.4.3