diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-02-28 13:23:51 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-07 09:39:09 +0200 |
| commit | dd244c02dd544f518574f45931342b97fd9e0162 (patch) | |
| tree | 5ffa2b14913df9035aeceaddc254634345d58ddf /ipaserver | |
| parent | b32204fccc280714a32d56c15f70f770df82dfbd (diff) | |
| download | freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.gz freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.xz freeipa-dd244c02dd544f518574f45931342b97fd9e0162.zip | |
Use dedicated keytab for Samba
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.
https://fedorahosted.org/freeipa/ticket/2168
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/adtrustinstance.py | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index f4379019d..b978146c3 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -255,7 +255,10 @@ class ADTRUSTInstance(service.Service): conf_fd.close() def __add_cldap_module(self): - self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict) + try: + self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict) + except: + pass def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") @@ -279,21 +282,23 @@ class ADTRUSTInstance(service.Service): def __setup_principal(self): cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name - installutils.kadmin_addprinc(cifs_principal) - self.move_service(cifs_principal) + api.Command.service_add(unicode(cifs_principal)) - try: - ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal, - "-k", "/etc/krb5.keytab"]) - except ipautil.CalledProcessError, e: - if e.returncode != 5: - root_logger.critical("Failed to remove old key for %s" % cifs_principal) + samba_keytab = "/etc/samba/samba.keytab" + if os.path.exists(samba_keytab): + try: + ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal, + "-k", samba_keytab]) + except ipautil.CalledProcessError, e: + root_logger.critical("Result of removing old key: %d" % e.returncode) + if e.returncode != 5: + root_logger.critical("Failed to remove old key for %s" % cifs_principal) try: ipautil.run(["ipa-getkeytab", "--server", self.fqdn, "--principal", cifs_principal, - "-k", "/etc/krb5.keytab"]) + "-k", samba_keytab]) except ipautil.CalledProcessError, e: root_logger.critical("Failed to add key for %s" % cifs_principal) @@ -368,7 +373,7 @@ class ADTRUSTInstance(service.Service): try: self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \ self.suffix) - except ldap.ALREADY_EXISTS: + except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.critical("ADTRUST Service startup entry already exists.") pass |