From 12f4584f577c8390b29e939e29bb471cb6c499ab Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 8 Oct 2012 10:44:07 +0200 Subject: ipa-adtrust-install: create fallback group with ldif file Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147 --- ipaserver/install/adtrustinstance.py | 41 ++++++++++-------------------------- 1 file changed, 11 insertions(+), 30 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 3f3924eb3..41030223d 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -22,7 +22,6 @@ import errno import ldap import tempfile import uuid -import krbV from ipaserver import ipaldap from ipaserver.install import installutils from ipaserver.install import service @@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service): OBJC_USER = "ipaNTUserAttrs" OBJC_GROUP = "ipaNTGroupAttrs" OBJC_DOMAIN = "ipaNTDomainAttrs" - FALLBACK_GROUP_NAME = u'Default_SMB_Group' + FALLBACK_GROUP_NAME = u'Default SMB Group' def __init__(self, fstore=None): self.fqdn = None @@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service): """ self.ldap_connect() - try: - ctx = krbV.default_context() - ccache = ctx.default_ccache() - except krbV.Krb5Error, e: - self.print_msg("Must have Kerberos credentials to setup " \ - "AD trusts on server") - return - - try: - api.Backend.ldap2.disconnect() - api.Backend.ldap2.connect(ccache.name) - except errors.ACIError, e: - self.print_msg("Outdated Kerberos credentials. " \ - "Use kdestroy and kinit to update your ticket") - return - except errors.DatabaseError, e: - self.print_msg("Cannot connect to the LDAP database. " \ - "Please check if IPA is running") - return try: dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \ @@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service): self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE) except errors.NotFound: try: - fallback = api.Command['group_add'](self.FALLBACK_GROUP_NAME, - description= u'Fallback group for ' \ - 'primary group RID, ' \ - 'do not add user to ' \ - 'this group', - nonposix=False) - fb_group_dn = fallback['result']['dn'] + self._ldap_mod('default-smb-group.ldif', self.sub_dict) except Exception, e: self.print_msg("Failed to add fallback group.") raise e + # _ldap_mod does not return useful error codes, so we must check again + # if the fallback group was created properly. + try: + self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE) + except errors.NotFound: + self.print_msg("Failed to add fallback group.") + return + try: - mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, - fallback['result']['dn'])] + mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)] self.admin_conn.modify_s(self.smb_dom_dn, mod) except: self.print_msg("Failed to add fallback group to domain object") -- cgit