From 7caed6ecfb17050796c11fa9718aa8fb1464655d Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 1 Aug 2014 16:34:33 +0200
Subject: ipa-adtrust-install does not re-add member in adtrust agents group

When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.

Make the installer more robust by being able to fix the inconsistency.

https://fedorahosted.org/freeipa/ticket/4464

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/install/adtrustinstance.py | 39 +++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 18 deletions(-)

(limited to 'ipaserver')

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 7cfc5e886..38b080131 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -497,28 +497,31 @@ class ADTRUSTInstance(service.Service):
     def __setup_principal(self):
         try:
             api.Command.service_add(unicode(self.cifs_principal))
-            # Add the principal to the 'adtrust agents' group
-            # as 389-ds only operates with GroupOfNames, we have to use
-            # the principal's proper dn as defined in self.cifs_agent
-            try:
-                current = self.admin_conn.get_entry(self.smb_dn)
-                members = current.get('member', [])
-                if not(self.cifs_agent in members):
-                    current["member"] = members + [self.cifs_agent]
-                    self.admin_conn.update_entry(current)
-            except errors.NotFound:
-                entry = self.admin_conn.make_entry(
-                    self.smb_dn,
-                    objectclass=["top", "GroupOfNames"],
-                    cn=[self.smb_dn['cn']],
-                    member=[self.cifs_agent],
-                )
-                self.admin_conn.add_entry(entry)
-        except Exception:
+        except errors.DuplicateEntry:
             # CIFS principal already exists, it is not the first time
             # adtrustinstance is managed
             # That's fine, we we'll re-extract the key again.
             pass
+        except Exception, e:
+            self.print_msg("Cannot add CIFS service: %s" % e)
+
+        # Add the principal to the 'adtrust agents' group
+        # as 389-ds only operates with GroupOfNames, we have to use
+        # the principal's proper dn as defined in self.cifs_agent
+        try:
+            current = self.admin_conn.get_entry(self.smb_dn)
+            members = current.get('member', [])
+            if not(self.cifs_agent in members):
+                current["member"] = members + [self.cifs_agent]
+                self.admin_conn.update_entry(current)
+        except errors.NotFound:
+            entry = self.admin_conn.make_entry(
+                self.smb_dn,
+                objectclass=["top", "GroupOfNames"],
+                cn=[self.smb_dn['cn']],
+                member=[self.cifs_agent],
+            )
+            self.admin_conn.add_entry(entry)
 
         self.clean_samba_keytab()
 
-- 
cgit