From bc70a5146f9554225539079452e2d62f03c7edf2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 17 Sep 2008 11:09:39 -0400 Subject: Remove reference to very unlikely service examples that are not currently kerberized (and may never be due to their nature). --- ipa-admintools/man/ipa-addservice.1 | 3 --- ipa-server/ipa-gui/ipagui/forms/principal.py | 5 +---- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/ipa-admintools/man/ipa-addservice.1 b/ipa-admintools/man/ipa-addservice.1 index aec92be31..545505720 100644 --- a/ipa-admintools/man/ipa-addservice.1 +++ b/ipa-admintools/man/ipa-addservice.1 @@ -32,14 +32,11 @@ service/fully\-qualified\-hostname The list of possible services is too extensive to list here but a short list is: cifs -dhcp dns host HTTP ldap nfs -rpc -snmp The IPA server automatically appends the Kerberos realm for which it is configured. You cannot specify a different realm. diff --git a/ipa-server/ipa-gui/ipagui/forms/principal.py b/ipa-server/ipa-gui/ipagui/forms/principal.py index 02c62f26a..8ff5eed03 100644 --- a/ipa-server/ipa-gui/ipagui/forms/principal.py +++ b/ipa-server/ipa-gui/ipagui/forms/principal.py @@ -26,15 +26,12 @@ class PrincipalFields(object): label="Service Type", options = [ ("cifs", "cifs"), - ("dhcp", "dhcp"), ("dns", "dns"), ("host", "host"), ("HTTP", "HTTP"), ("ldap", "ldap"), ("nfs", "nfs"), - ("other", "other"), - ("rpc", "rpc"), - ("snmp", "snmp") + ("other", "other") ], attrs=dict(onchange="toggleOther(this.id)")) other = widgets.TextField(name="other", label="Other Service", attrs=dict(size=10)) -- cgit From f6cd489909dd4cdc799b1cbe85b1c01ab2339c36 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 17 Sep 2008 09:45:00 -0400 Subject: We were assuming that, if the realm was correct then also the rest of the krb5.conf configuration were. This clearly breaks with the default EXAMPLE.COM realm configuratrion. Furthermore it makes it not possible to try to 'fix' an installation by rerruninng ipa-client-install This patch removes the special case and avoids krb5.conf only if the on_master flag is passed. Fix also one inner 'if' statement to be simpler to understand. --- ipa-client/ipa-install/ipa-client-install | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index eec36e4e3..cd5bfdde1 100644 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -271,11 +271,8 @@ def main(): print "Creation of /etc/ldap.conf: " + str(e) return 1 - #Check if kerberos is already configured properly - krbctx = krbV.default_context() - # If we find our domain assume we are properly configured - #(ex. we are configuring the client side of a Master) - if not options.on_master and (not krbctx.default_realm == cli_realm or options.force): + #If on master assume kerberos is already configured properly. + if not options.on_master: #Configure krb5.conf krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") @@ -289,12 +286,12 @@ def main(): #[libdefaults] libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}] - if dnsok and not options.force and not options.on_master: - libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) - libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) - else: + if not dnsok or options.force: libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'}) libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'}) + else: + libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) + libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) -- cgit From b4938f5e350cd8463e7be060168f26a739d014ca Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 18 Sep 2008 16:49:35 -0400 Subject: Fix syntax error --- ipa-server/ipaserver/krbinstance.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 598c2b200..252844304 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -48,6 +48,10 @@ import pyasn1.codec.ber.decoder import struct import base64 +KRBMKEY_DENY_ACI = """ +(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +""" + def update_key_val_in_file(filename, key, val): if os.path.exists(filename): pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val)) @@ -339,10 +343,6 @@ class KrbInstance(service.Service): def __add_pwd_extop_module(self): self.__ldap_mod("pwd-extop-conf.ldif") -KRBMKEY_DENY_ACI = """ -(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -""" - def __add_master_key(self): #get the Master Key from the stash file try: -- cgit From ca07cdb390e78439a8da326d1874276509541661 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 17 Sep 2008 23:18:09 -0400 Subject: Add detection to the update tool to detect when it would apply changes. Remove SUP name from RFC2307bis.update to match FDS --- ipa-server/ipa-install/updates/RFC2307bis.update | 2 +- ipa-server/ipa-ldap-updater | 7 ++-- ipa-server/ipaserver/ldapupdate.py | 46 ++++++++++++++++++++++-- ipa-server/man/ipa-ldap-updater.1 | 4 ++- 4 files changed, 52 insertions(+), 7 deletions(-) diff --git a/ipa-server/ipa-install/updates/RFC2307bis.update b/ipa-server/ipa-install/updates/RFC2307bis.update index 6d08d5786..1ddebc1a2 100644 --- a/ipa-server/ipa-install/updates/RFC2307bis.update +++ b/ipa-server/ipa-install/updates/RFC2307bis.update @@ -16,7 +16,7 @@ add:attributeTypes: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC2307bis' ) add:attributeTypes: - ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' + ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC2307bis' ) diff --git a/ipa-server/ipa-ldap-updater b/ipa-server/ipa-ldap-updater index 38ccf6670..90119950e 100755 --- a/ipa-server/ipa-ldap-updater +++ b/ipa-server/ipa-ldap-updater @@ -99,9 +99,12 @@ def main(): else: files = args - ld.update(files) + modified = ld.update(files) - return 0 + if modified and options.test: + return 2 + else: + return 0 try: if __name__ == "__main__": diff --git a/ipa-server/ipaserver/ldapupdate.py b/ipa-server/ipaserver/ldapupdate.py index 638cd9a09..f4c868383 100755 --- a/ipa-server/ipaserver/ldapupdate.py +++ b/ipa-server/ipaserver/ldapupdate.py @@ -53,6 +53,7 @@ class LDAPUpdate(): self.live_run = live_run self.dm_password = dm_password self.conn = None + self.modified = False krbctx = krbV.default_context() @@ -454,6 +455,31 @@ class LDAPUpdate(): logging.debug(a + ": ") for l in value: logging.debug("\t" + l) + def is_schema_updated(self, s): + """Compare the schema in 's' with the current schema in the DS to + see if anything has changed. This should account for syntax + differences (like added parens that make no difference but are + detected as a change by generateModList()). + + This doesn't handle re-ordering of attributes. They are still + detected as changes, so foo $ bar != bar $ foo. + + return True if the schema has changed + return False if it has not + """ + s = ldap.schema.SubSchema(s) + s = s.ldap_entry() + + # Get a fresh copy and convert into a SubSchema + n = self.__get_entry("cn=schema")[0] + n = dict(n.data) + n = ldap.schema.SubSchema(n) + n = n.ldap_entry() + + if s == n: + return False + else: + return True def __update_record(self, update): found = False @@ -498,19 +524,31 @@ class LDAPUpdate(): else: # Update LDAP try: - logging.debug("%s" % self.conn.generateModList(entry.origDataDict(), entry.toDict())) - if self.live_run: + updated = False + changes = self.conn.generateModList(entry.origDataDict(), entry.toDict()) + if (entry.dn == "cn=schema"): + updated = self.is_schema_updated(entry.toDict()) + else: + if len(changes) > 1: + updated = True + logging.debug("%s" % changes) + if self.live_run and updated: self.conn.updateEntry(entry.dn, entry.origDataDict(), entry.toDict()) logging.info("Done") except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e: logging.info("Entry already up-to-date") + updated = False except ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR), e: logging.error("Update failed: %s: %s", e, self.__detail_error(e.detail)) + updated = False if ("cn=index" in entry.dn and "cn=userRoot" in entry.dn): taskid = self.create_index_task(entry.cn) self.monitor_index_task(taskid) + + if updated: + self.modified = True return def get_all_files(self, root, recursive=False): @@ -526,6 +564,8 @@ class LDAPUpdate(): def update(self, files): """Execute the update. files is a list of the update files to use. + + returns True if anything was changed, otherwise False """ try: @@ -551,4 +591,4 @@ class LDAPUpdate(): finally: if self.conn: self.conn.unbind() - return + return self.modified diff --git a/ipa-server/man/ipa-ldap-updater.1 b/ipa-server/man/ipa-ldap-updater.1 index 4a1dd5cda..453ac758f 100644 --- a/ipa-server/man/ipa-ldap-updater.1 +++ b/ipa-server/man/ipa-ldap-updater.1 @@ -66,7 +66,7 @@ A few rules: Enable debug logging when more verbose output is needed .TP \fB\-t\fR, \fB\-\-test\fR -Run through the update without changing anything +Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0. .TP \fB\-y\fR File containing the Directory Manager password @@ -74,3 +74,5 @@ File containing the Directory Manager password 0 if the command was successful 1 if an error occurred + +2 if run with in test mode (\-t) and updates are available -- cgit From a62b85a233c7223f3b7f327ba912d2810929dc6a Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Thu, 18 Sep 2008 22:58:10 +0200 Subject: Fix architecture detection in ldapupdate --- ipa-server/ipaserver/ldapupdate.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ipa-server/ipaserver/ldapupdate.py b/ipa-server/ipaserver/ldapupdate.py index f4c868383..e28562cec 100755 --- a/ipa-server/ipaserver/ldapupdate.py +++ b/ipa-server/ipaserver/ldapupdate.py @@ -112,9 +112,9 @@ class LDAPUpdate(): etc. Determine if a suffix is needed based on the current architecture. """ - arch = platform.platform() + bits = platform.architecture()[0] - if arch == "x86_64": + if bits == "64bit": return "64" else: return "" @@ -320,9 +320,8 @@ class LDAPUpdate(): attrlist = ['nstaskstatus', 'nstaskexitcode'] entry = None - done = False - while not done: + while True: try: entry = self.conn.getEntry(dn, ldap.SCOPE_BASE, "(objectclass=*)", attrlist) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): @@ -340,7 +339,7 @@ class LDAPUpdate(): if status.lower().find("finished") > -1: logging.info("Indexing finished") - done = True + break logging.debug("Indexing in progress") time.sleep(1) -- cgit From 7b799d8c6f5a740be3e2433d03cfc4d41b496ef6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 19 Sep 2008 23:09:09 -0400 Subject: Fix class declaration to work with Python 2.4 --- ipa-server/ipaserver/ldapupdate.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-server/ipaserver/ldapupdate.py b/ipa-server/ipaserver/ldapupdate.py index e28562cec..b2b402b56 100755 --- a/ipa-server/ipaserver/ldapupdate.py +++ b/ipa-server/ipaserver/ldapupdate.py @@ -43,7 +43,7 @@ class BadSyntax(Exception): def __str__(self): return repr(self.value) -class LDAPUpdate(): +class LDAPUpdate: def __init__(self, dm_password, sub_dict={}, live_run=True): """dm_password = Directory Manager password sub_dict = substitution dictionary -- cgit From 4d8a255c062d943695ae35c467ec8f2b0f7fa4b7 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 24 Sep 2008 17:50:56 -0400 Subject: Fix segfault in ipa-getkeytab 463548 --- ipa-client/ipa-getkeytab.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index f153094d8..fbeb547a8 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -756,7 +756,7 @@ int main(int argc, char *argv[]) if (!password) { exit(2); } - } else if (strchr(enctypes_string, ':')) { + } else if (enctypes_string && strchr(enctypes_string, ':')) { if (!quiet) { fprintf(stderr, "Warning: salt types are not honored with randomized passwords (see opt. -P)\n"); } -- cgit