From dd244c02dd544f518574f45931342b97fd9e0162 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 28 Feb 2012 13:23:51 +0200
Subject: Use dedicated keytab for Samba

Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.

https://fedorahosted.org/freeipa/ticket/2168
---
 install/share/smb.conf.template      |  4 +++-
 ipaserver/install/adtrustinstance.py | 27 ++++++++++++++++-----------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 4ab79daa5..8ed521b50 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -1,7 +1,8 @@
 [global]
 workgroup = $NETBIOS_NAME
 realm = $REALM
-kerberos method = system keytab
+kerberos method = dedicated keytab
+dedicated keytab file = FILE:/etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
@@ -10,6 +11,7 @@ log level = 1
 max log size = 100000
 log file = /var/log/samba/log.%m
 passdb backend = ipasam:ldapi://$LDAPI_SOCKET
+disable spoolss = yes
 ldapsam:trusted=yes
 ldap ssl = off
 ldap admin dn = $SMB_DN
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index f4379019d..b978146c3 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -255,7 +255,10 @@ class ADTRUSTInstance(service.Service):
         conf_fd.close()
 
     def __add_cldap_module(self):
-        self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
+        try:
+            self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
+        except:
+            pass
 
     def __write_smb_registry(self):
         template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
@@ -279,21 +282,23 @@ class ADTRUSTInstance(service.Service):
 
     def __setup_principal(self):
         cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name
-        installutils.kadmin_addprinc(cifs_principal)
 
-        self.move_service(cifs_principal)
+        api.Command.service_add(unicode(cifs_principal))
 
-        try:
-            ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal,
-                                         "-k", "/etc/krb5.keytab"])
-        except ipautil.CalledProcessError, e:
-            if e.returncode != 5:
-                root_logger.critical("Failed to remove old key for %s" % cifs_principal)
+        samba_keytab = "/etc/samba/samba.keytab"
+        if os.path.exists(samba_keytab):
+            try:
+                ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal,
+                                         "-k", samba_keytab])
+            except ipautil.CalledProcessError, e:
+                root_logger.critical("Result of removing old key: %d" % e.returncode)
+                if e.returncode != 5:
+                    root_logger.critical("Failed to remove old key for %s" % cifs_principal)
 
         try:
             ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
                                           "--principal", cifs_principal,
-                                          "-k", "/etc/krb5.keytab"])
+                                          "-k", samba_keytab])
         except ipautil.CalledProcessError, e:
             root_logger.critical("Failed to add key for %s" % cifs_principal)
 
@@ -368,7 +373,7 @@ class ADTRUSTInstance(service.Service):
         try:
             self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
                              self.suffix)
-        except ldap.ALREADY_EXISTS:
+        except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
             root_logger.critical("ADTRUST Service startup entry already exists.")
             pass
 
-- 
cgit