From cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 28 Jan 2011 15:45:19 -0500 Subject: Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851 --- install/tools/ipa-replica-install | 36 +++++++++++--- install/tools/ipa-replica-prepare | 17 ++----- install/tools/ipa-server-install | 102 ++++++++++++++++++-------------------- ipaserver/install/cainstance.py | 62 ++++++++++++----------- ipaserver/install/dsinstance.py | 43 +++++++--------- ipaserver/install/krbinstance.py | 18 +++---- 6 files changed, 141 insertions(+), 137 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 3eb41daae..590fd645b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -22,6 +22,7 @@ import sys import socket import tempfile, os, pwd, traceback, logging, shutil +import grp from ConfigParser import SafeConfigParser from ipapython import ipautil @@ -33,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import version from ipalib import api, errors, util from ipapython.config import IPAOptionParser +from ipapython import sysrestore CACERT="/etc/ipa/ca.crt" @@ -45,7 +47,6 @@ class ReplicaConfig: self.domain_name = "" self.master_host_name = "" self.dirman_password = "" - self.ds_user = "" self.host_name = "" self.dir = "" self.subject_base = "" @@ -116,7 +117,6 @@ def read_info(dir, rconfig): rconfig.realm_name = config.get("realm", "realm_name") rconfig.master_host_name = config.get("realm", "master_host_name") - rconfig.ds_user = config.get("realm", "ds_user") rconfig.domain_name = config.get("realm", "domain_name") rconfig.host_name = config.get("realm", "destination_host") rconfig.subject_base = config.get("realm", "subject_base") @@ -145,7 +145,7 @@ def resolve_host(host_name): return None def set_owner(config, dir): - pw = pwd.getpwnam(config.ds_user) + pw = pwd.getpwnam(dsinstance.DS_USER) os.chown(dir, pw.pw_uid, pw.pw_gid) def install_ca(config): @@ -168,9 +168,13 @@ def install_ca(config): sys.exit(1) cs = cainstance.CADSInstance() - cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) + cs.create_instance(config.realm_name, config.host_name, + config.domain_name, config.dirman_password) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) - ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base) + ca.configure_instance(config.host_name, config.dirman_password, + config.dirman_password, pkcs12_info=(cafile,), + master_host=config.master_host_name, + subject_base=config.subject_base) return ca @@ -187,7 +191,7 @@ def install_replica_ds(config): config.dir + "/dirsrv_pin.txt") ds = dsinstance.DsInstance() - ds.create_replica(config.ds_user, config.realm_name, + ds.create_replica(config.realm_name, config.master_host_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) @@ -205,7 +209,7 @@ def install_krb(config, setup_pkinit=False): pkcs12_info = (config.dir + "/pkinitcert.p12", config.dir + "/pkinit_pin.txt") - krb.create_replica(config.ds_user, config.realm_name, + krb.create_replica(config.realm_name, config.master_host_name, config.host_name, config.domain_name, config.dirman_password, ldappwd_filename, kpasswd_filename, @@ -339,6 +343,9 @@ def main(): if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) + global sstore + sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + # check the bind is installed if options.setup_dns: check_bind() @@ -393,6 +400,21 @@ def main(): api.bootstrap(in_server=True) api.finalize() + # Create DS group if it doesn't exist yet + try: + grp.getgrnam(dsinstance.DS_GROUP) + logging.debug("ds group %s exists" % dsinstance.DS_GROUP) + group_exists = True + except KeyError: + group_exists = False + args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP] + try: + ipautil.run(args) + logging.debug("done adding DS group") + except ipautil.CalledProcessError, e: + logging.critical("failed to add DS group: %s" % e) + sstore.backup_state("install", "group_exists", group_exists) + #Automatically disable pkinit w/ dogtag until that is supported #[certs.ipa_self_signed() must be called only after api.finalize()] if not ipautil.file_exists(config.dir + "/pkinitcert.p12") and not certs.ipa_self_signed(): diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 908c50a13..38d31aa60 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -183,19 +183,13 @@ def export_ra_pkcs12(dir, dm_password): finally: os.remove(agent_name) -def get_ds_user(ds_dir): - uid = os.stat(ds_dir).st_uid - user = pwd.getpwuid(uid)[0] - - return user - -def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host, +def save_config(dir, realm_name, host_name, + domain_name, dest_host, subject_base): config = SafeConfigParser() config.add_section("realm") config.set("realm", "realm_name", realm_name) config.set("realm", "master_host_name", host_name) - config.set("realm", "ds_user", ds_user) config.set("realm", "domain_name", domain_name) config.set("realm", "destination_host", dest_host) config.set("realm", "subject_base", subject_base) @@ -213,8 +207,8 @@ def copy_files(realm_name, dir): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) try: - shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") - shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") + shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") + shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt") if ipautil.file_exists("/usr/share/ipa/html/preferences.html"): shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") @@ -281,7 +275,6 @@ def main(): print "You can't create a replica on itself" sys.exit(1) ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm)) - ds_user = get_ds_user(ds_dir) # get the directory manager password dirman_password = options.password @@ -404,7 +397,7 @@ def main(): print "Copying additional files" copy_files(api.env.realm, dir) print "Finalizing configuration" - save_config(dir, api.env.realm, api.env.host, ds_user, api.env.domain, replica_fqdn, subject_base) + save_config(dir, api.env.realm, api.env.host, api.env.domain, replica_fqdn, subject_base) replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn encfile = replicafile+".gpg" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c07f6fc3e..4a40c13a2 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -31,7 +31,7 @@ import os import socket import errno import logging -import pwd +import grp import subprocess import signal import shutil @@ -58,8 +58,6 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipapython.config import IPAOptionParser -DEF_DS_USER = 'dirsrv' - pw_name = None uninstalling = False @@ -68,8 +66,6 @@ def parse_options(): # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit) namespace = random.randint(1, 10000) * 200000 parser = IPAOptionParser(version=version.VERSION) - parser.add_option("-u", "--user", dest="ds_user", - help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") parser.add_option("-n", "--domain", dest="domain_name", @@ -151,12 +147,10 @@ def parse_options(): parser.error("You cannot specify a --forwarder option together with --no-forwarders") if options.uninstall: - if (options.ds_user or options.realm_name or + if (options.realm_name or options.admin_password or options.master_password): - parser.error("In uninstall mode, -u, r and -P options are not allowed") + parser.error("In uninstall mode, -a, -r and -P options are not allowed") elif options.unattended: - if not options.ds_user: - options.ds_user = DEF_DS_USER if (not options.realm_name or not options.dm_password or not options.admin_password): parser.error("In unattended mode you need to provide at least -r, -p and -a options") @@ -306,32 +300,6 @@ def resolve_host(host_name): print "Unable to lookup the IP address of the provided host" return ip -def read_ds_user(): - print "The server must run as a specific user in a specific group." - print "It is strongly recommended that this user should have no privileges" - print "on the computer (i.e. a non-root user). The set up procedure" - print "will give this user/group some permissions in specific paths/files" - print "to perform server-specific operations." - print "" - - ds_user = "" - try: - pwd.getpwnam(DEF_DS_USER) - - print "A user account named %s already exists." % DEF_DS_USER - print "This is the user id that the Directory Server will run as." - print "" - if user_input("Do you want to use the existing %s account?" % DEF_DS_USER, True): - ds_user = DEF_DS_USER - else: - print "" - ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False) - print "" - except KeyError: - ds_user = DEF_DS_USER - - return ds_user - def read_domain_name(domain_name, unattended): print "The domain name has been calculated based on the host name." print "" @@ -447,6 +415,18 @@ def uninstall(): os.remove("/etc/httpd/conf.d/ipa.conf") except: pass + + group_exists = sstore.restore_state("install", "group_exists") + if group_exists == False: + try: + grp.getgrnam(dsinstance.DS_GROUP) + try: + ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP]) + except ipautil.CalledProcessError, e: + logging.critical("failed to delete group %s" % e) + except KeyError: + logging.info("Group %s already removed", dsinstance.DS_GROUP) + return 0 @@ -492,6 +472,8 @@ def main(): global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + global sstore + sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. @@ -544,7 +526,6 @@ def main(): if not options.external_ca: check_dirsrv(options.unattended) - ds_user = "" realm_name = "" host_name = "" domain_name = "" @@ -629,14 +610,6 @@ def main(): print "Domain name: " + domain_name print "" - if not options.ds_user: - ds_user = read_ds_user() - if ds_user == "": - sys.exit(1) - logging.debug("read ds_user: %s\n" % ds_user) - else: - ds_user = options.ds_user - if not options.realm_name: realm_name = read_realm_name(domain_name, options.unattended) logging.debug("read realm_name: %s\n" % realm_name) @@ -695,6 +668,21 @@ def main(): print "Please wait until the prompt is returned." print "" + # Create DS group if it doesn't exist yet + try: + grp.getgrnam(dsinstance.DS_GROUP) + logging.debug("ds group %s exists" % dsinstance.DS_GROUP) + group_exists = True + except KeyError: + group_exists = False + args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP] + try: + ipautil.run(args) + logging.debug("done adding DS group") + except ipautil.CalledProcessError, e: + logging.critical("failed to add DS group: %s" % e) + sstore.backup_state("install", "group_exists", group_exists) + # Configure ntpd if options.conf_ntp: ntp = ntpinstance.NTPInstance(fstore) @@ -730,21 +718,26 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() - cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password) + cs.create_instance(realm_name, host_name, domain_name, dm_password) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if external == 0: - ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject) + ca.configure_instance(host_name, dm_password, dm_password, + subject_base=options.subject) elif external == 1: options.realm_name = realm_name options.domain_name = domain_name - options.ds_user = ds_user options.master_password = master_password options.host_name = host_default options.unattended = True write_cache(options) - ca.configure_instance("pkiuser", host_name, dm_password, dm_password, csr_file="/root/ipa.csr", subject_base=options.subject) + ca.configure_instance(host_name, dm_password, dm_password, + csr_file="/root/ipa.csr", + subject_base=options.subject) else: - ca.configure_instance("pkiuser", host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, subject_base=options.subject) + ca.configure_instance(host_name, dm_password, dm_password, + cert_file=options.external_cert_file, + cert_chain_file=options.external_ca_file, + subject_base=options.subject) # Now put the CA cert where other instances exepct it ca.publish_ca_cert("/etc/ipa/ca.crt") @@ -762,11 +755,14 @@ def main(): if options.dirsrv_pkcs12: pkcs12_info = (options.dirsrv_pkcs12, pw_name) try: - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow) + ds.create_instance(realm_name, host_name, domain_name, + dm_password, pkcs12_info, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) finally: os.remove(pw_name) else: - ds.create_instance(ds_user, realm_name, host_name, domain_name, + ds.create_instance(realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, @@ -786,13 +782,13 @@ def main(): krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: pkcs12_info = (options.pkinit_pkcs12, pw_name) - krb.create_instance(ds_user, realm_name, host_name, domain_name, + krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, pkcs12_info=pkcs12_info, subject_base=options.subject) else: - krb.create_instance(ds_user, realm_name, host_name, domain_name, + krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, self_signed_ca=options.selfsign, diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dfe036dd7..8aa1d4477 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -53,6 +53,9 @@ from ipalib import util DEFAULT_DSPORT=7389 +PKI_USER = "pkiuser" +PKI_DS_USER = "pkisrv" + # These values come from /usr/share/pki/ca/setup/postinstall PKI_INSTANCE_NAME="pki-ca" AGENT_SECURE_PORT=9443 @@ -219,7 +222,6 @@ class CADSInstance(service.Service): self.serverid = None self.host_name = None self.pkcs12_info = None - self.ds_user = None self.ds_port = None self.master_host = None if realm_name: @@ -228,8 +230,8 @@ class CADSInstance(service.Service): else: self.suffix = None - def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT): - self.ds_user = ds_user + def create_instance(self, realm_name, host_name, domain_name, + dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT): self.ds_port = ds_port self.realm_name = realm_name.upper() self.serverid = "PKI-IPA" @@ -250,26 +252,29 @@ class CADSInstance(service.Service): server_root = dsinstance.find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(), - REALM=self.realm_name, USER=self.ds_user, + REALM=self.realm_name, USER=PKI_DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, TIME=int(time.time()), DSPORT=self.ds_port) def __create_ds_user(self): user_exists = True try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) + pwd.getpwnam(PKI_DS_USER) + logging.debug("ds user %s exists" % PKI_DS_USER) except KeyError: user_exists = False - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] + logging.debug("adding ds user %s" % PKI_DS_USER) + args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP, + "-c", "PKI DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", PKI_DS_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.ds_user) self.backup_state("user_exists", user_exists) def __create_instance(self): @@ -328,17 +333,15 @@ class CADSInstance(service.Service): dsinstance.erase_ds_instance_data(serverid) self.service_name="pkids" - ds_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not ds_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", ds_user]) + ipautil.run(["/usr/sbin/userdel", PKI_DS_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) self.service_name = sav_name - class CAInstance(service.Service): """ In the self-signed case the CA exists in the NSS_DB database. @@ -360,7 +363,6 @@ class CAInstance(service.Service): def __init__(self, realm, ra_db): service.Service.__init__(self, "pki-cad") self.realm = realm - self.pki_user = "pkiuser" self.dm_password = None self.admin_password = None self.host_name = None @@ -389,7 +391,7 @@ class CAInstance(service.Service): def __del__(self): shutil.rmtree(self.ca_agent_db, ignore_errors=True) - def configure_instance(self, pki_user, host_name, dm_password, + def configure_instance(self, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, @@ -404,7 +406,6 @@ class CAInstance(service.Service): chain and actually proceed to create the CA. For step 1 set csr_file. For step 2 set cert_file and cert_chain_file. """ - self.pki_user = pki_user self.host_name = host_name self.dm_password = dm_password self.admin_password = admin_password @@ -484,19 +485,21 @@ class CAInstance(service.Service): def __create_ca_user(self): user_exists = True try: - pwd.getpwnam(self.pki_user) - logging.debug("ca user %s exists" % self.pki_user) + pwd.getpwnam(PKI_USER) + logging.debug("ca user %s exists" % PKI_USER) except KeyError: user_exists = False - logging.debug("adding ca user %s" % self.pki_user) - args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", "-M", "-r", "-s", "/sbin/nologin", self.pki_user] + logging.debug("adding ca user %s" % PKI_USER) + args = ["/usr/sbin/useradd", "-c", "CA System User", + "-d", "/var/lib", + "-s", "/sbin/nologin", + "-M", "-r", PKI_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.pki_user) self.backup_state("user_exists", user_exists) def __configure_instance(self): @@ -558,7 +561,7 @@ class CAInstance(service.Service): # The install wizard expects the file to be here. cafile = self.pkcs12_info[0] shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") - pent = pwd.getpwnam(self.pki_user) + pent = pwd.getpwnam(PKI_USER) os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) args.append("-clone") args.append("true") @@ -615,7 +618,7 @@ class CAInstance(service.Service): # Turn off Nonces (again) if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: raise RuntimeError("Disabling nonces failed") - pent = pwd.getpwnam(self.pki_user) + pent = pwd.getpwnam(PKI_USER) os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) # pkisilent makes a copy of the CA PKCS#12 file for us but gives @@ -934,8 +937,8 @@ class CAInstance(service.Service): publishdir='/var/lib/pki-ca/publish' os.mkdir(publishdir) os.chmod(publishdir, 0755) - pent = pwd.getpwnam(self.pki_user) - os.chown(publishdir, pent.pw_uid, pent.pw_gid ) + pent = pwd.getpwnam(PKI_USER) + os.chown(publishdir, pent.pw_uid, pent.pw_gid) # Enable file publishing, disable LDAP installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') @@ -994,11 +997,10 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to uninstall CA instance %s" % e) - pki_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not pki_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", pki_user]) + ipautil.run(["/usr/sbin/userdel", PKI_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) @@ -1013,6 +1015,6 @@ class CAInstance(service.Service): if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() - cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password") + cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password") ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") - ca.configure_instance("pkiuser", "catest.example.com", "password", "password") + ca.configure_instance("catest.example.com", "password", "password") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 299505201..0a33697d2 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -21,7 +21,6 @@ import shutil import logging import pwd -import grp import glob import sys import os @@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" CACERT="/etc/ipa/ca.crt" +DS_USER = 'dirsrv' +DS_GROUP = 'dirsrv' + def find_server_root(): if ipautil.dir_exists(SERVER_ROOT_64): return SERVER_ROOT_64 @@ -176,7 +178,6 @@ class DsInstance(service.Service): self.serverid = None self.fqdn = None self.pkcs12_info = None - self.ds_user = None self.dercert = None self.idstart = None self.idmax = None @@ -223,11 +224,10 @@ class DsInstance(service.Service): self.step("configuring directory to start on boot", self.__enable) - def create_instance(self, ds_user, realm_name, fqdn, domain_name, + def create_instance(self, realm_name, fqdn, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, idstart=1100, idmax=999999, subject_base=None, hbac_allow=True): - self.ds_user = ds_user self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) self.suffix = util.realm_to_suffix(self.realm_name) @@ -256,9 +256,8 @@ class DsInstance(service.Service): self.start_creation("Configuring directory server", 60) - def create_replica(self, ds_user, realm_name, master_fqdn, fqdn, + def create_replica(self, realm_name, master_fqdn, fqdn, domain_name, dm_password, pkcs12_info=None): - self.ds_user = ds_user self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) self.suffix = util.realm_to_suffix(self.realm_name) @@ -309,7 +308,7 @@ class DsInstance(service.Service): self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(), - REALM=self.realm_name, USER=self.ds_user, + REALM=self.realm_name, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, TIME=int(time.time()), IDSTART=self.idstart, IDMAX=self.idmax, HOST=self.fqdn, @@ -319,27 +318,22 @@ class DsInstance(service.Service): def __create_ds_user(self): user_exists = True try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) + pwd.getpwnam(DS_USER) + logging.debug("ds user %s exists" % DS_USER) except KeyError: user_exists = False - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] - try: - # if the group already exists we need to request to add it, - # otherwise useradd will create it for us - grp.getgrnam(self.ds_user) - args.append("-g") - args.append(self.ds_user) - except KeyError: - pass + logging.debug("adding ds user %s" % DS_USER) + args = ["/usr/sbin/useradd", "-g", DS_GROUP, + "-c", "DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", DS_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.ds_user) self.backup_state("user_exists", user_exists) def __create_instance(self): @@ -617,12 +611,11 @@ class DsInstance(service.Service): dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) - ds_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not ds_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", ds_user]) + ipautil.run(["/usr/sbin/userdel", DS_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) @@ -686,7 +679,7 @@ class DsInstance(service.Service): fd.close() for line in lines: sline = line.strip() - if not sline.startswith(self.ds_user): + if not sline.startswith(DS_USER): continue if sline.find('nofile') == -1: continue @@ -711,7 +704,7 @@ class DsInstance(service.Service): if need_sysconf and need_limits: self.fstore.backup_file("/etc/security/limits.conf") fd = open("/etc/security/limits.conf", "a+") - fd.write('%s\t\t-\tnofile\t\t%s\n' % (self.ds_user, str(num))) + fd.write('%s\t\t-\tnofile\t\t%s\n' % (DS_USER, str(num))) fd.close() fd = open("/etc/sysconfig/dirsrv", "a+") diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 9f706797f..86804ce08 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -35,7 +35,7 @@ from ipalib import errors from ipaserver import ipaldap from ipaserver.install import replication -from ipaserver.install.dsinstance import realm_to_serverid +from ipaserver.install import dsinstance import ldap from ldap import LDAPError @@ -78,7 +78,6 @@ class KpasswdInstance(service.SimpleServiceInstance): class KrbInstance(service.Service): def __init__(self, fstore=None): service.Service.__init__(self, "krb5kdc") - self.ds_user = None self.fqdn = None self.realm = None self.domain = None @@ -124,8 +123,7 @@ class KrbInstance(service.Service): host_entry.setValue('managedby', host_dn) self.admin_conn.addEntry(host_entry) - def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password): - self.ds_user = ds_user + def __common_setup(self, realm_name, host_name, domain_name, admin_password): self.fqdn = host_name self.realm = realm_name.upper() self.host = host_name.split(".")[0] @@ -152,13 +150,13 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) - def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None): + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.self_signed_ca = self_signed_ca self.subject_base = subject_base - self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password) + self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("setting KDC account password", self.__configure_kdc_account_password) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) @@ -183,7 +181,7 @@ class KrbInstance(service.Service): self.kpasswd = KpasswdInstance() self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix) - def create_replica(self, ds_user, realm_name, + def create_replica(self, realm_name, master_fqdn, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename, @@ -196,7 +194,7 @@ class KrbInstance(service.Service): self.__copy_kpasswd_keytab(kpasswd_filename) self.master_fqdn = master_fqdn - self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password) + self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("writing stash file from DS", self.__write_stash_from_ds) @@ -256,7 +254,7 @@ class KrbInstance(service.Service): SUFFIX=self.suffix, DOMAIN=self.domain, HOST=self.host, - SERVER_ID=realm_to_serverid(self.realm), + SERVER_ID=dsinstance.realm_to_serverid(self.realm), REALM=self.realm) def __configure_sasl_mappings(self): @@ -492,7 +490,7 @@ class KrbInstance(service.Service): installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal) update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") - pent = pwd.getpwnam(self.ds_user) + pent = pwd.getpwnam(dsinstance.DS_USER) os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) def __create_host_keytab(self): -- cgit