Blob Blame History Raw
From cc4f00b7fcbd01dcdfd920feda39cdd0344e7cd7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 16 Jul 2015 14:11:26 +0300
Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not
 exist

If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136

Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 85e3cc993b28f983f7e7ae068d9f9f135bab876e..e50c81e50e73b258bf08737c2d9a13a8832eb69f 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
                                             env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
                                             raiseonerr=False)
     # Make sure SSSD is able to read the keytab
-    sssd = pwd.getpwnam('sssd')
-    os.chown(oneway_keytab_name, sssd[2], sssd[3])
+    try:
+        sssd = pwd.getpwnam('sssd')
+        os.chown(oneway_keytab_name, sssd[2], sssd[3])
+    except KeyError as e:
+        # If user 'sssd' does not exist, we don't need to chown from root to sssd
+        # because it means SSSD does not run as sssd user
+        pass
 
 
 def parse_options():
-- 
2.4.3