diff options
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 8 | ||||
| -rw-r--r-- | ipa-server/ipa-kpasswd/Makefile | 5 | ||||
| -rw-r--r-- | ipa-server/ipa-kpasswd/ipa_kpasswd.c | 13 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 15 |
4 files changed, 33 insertions, 8 deletions
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 8ba8425d..316fe254 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -113,7 +113,7 @@ def main(): krb.create_instance(options.ds_user, options.realm_name, host_name, options.password, options.master_password) - # Restart ds after the krb instance have add the sasl map + # Restart ds after the krb instance has changed ds configurations ds.restart() # Restart apache @@ -128,6 +128,12 @@ def main(): # Set the KDC to start on boot run(["/sbin/chkconfig", "krb5kdc", "on"]) + # Set the Kpasswd to start on boot + run(["/sbin/chkconfig", "ipa-kpasswd", "on"]) + + # Start Kpasswd + run(["/sbin/service", "ipa-kpasswd", "start"]) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-kpasswd/Makefile b/ipa-server/ipa-kpasswd/Makefile index 11755a9a..7384ed88 100644 --- a/ipa-server/ipa-kpasswd/Makefile +++ b/ipa-server/ipa-kpasswd/Makefile @@ -1,5 +1,6 @@ PREFIX ?= $(DESTDIR)/usr SBIN = $(PREFIX)/sbin +INITDIR = $(DESTDIR)/etc/rc.d/init.d LDFLAGS +=-lkrb5 -llber -lldap CFLAGS ?= -Wall -Wshadow -O2 @@ -15,8 +16,10 @@ all: $(OBJS) install: -mkdir -p $(SBIN) install -m 755 ipa_kpasswd $(SBIN) + -mkdir -p $(INITDIR) + install -m 755 ipa-kpasswd.init $(INITDIR)/ipa-kpasswd clean: rm -f *.o rm -f ipa_kpasswd - rm -f *~
\ No newline at end of file + rm -f *~ diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index 811ae34d..bc89a1b8 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -21,6 +21,7 @@ #include <ldap.h> #include <sasl/sasl.h> +#define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab" #define TMP_TEMPLATE "/tmp/kpasswd.XXXXXX" #define KPASSWD_PORT 464 #define KPASSWD_TCP 1 @@ -108,7 +109,7 @@ int remove_blacklist(pid_t pid) int debug = 1; char *srv_pri_name = "kadmin/changepw"; -char *keytab_name = "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"; +char *keytab_name = NULL; static int get_krb5_ticket(char *tmp_file) { @@ -864,6 +865,16 @@ int main(int argc, char *argv[]) int tcp_s, udp_s; int tru = 1; int ret; + char *key; + + key = getenv("KRB5_KTNAME"); + if (!key) { + key = DEFAULT_KEYTAB; + } + keytab_name = strdup(key); + if (!keytab_name) { + fprintf(stderr, "Out of memory!\n"); + } tcp_s = socket(AF_INET, SOCK_STREAM, 0); if (tcp_s == -1) { diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index e31312a7..99687370 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -87,12 +87,12 @@ class KrbInstance: self.__create_http_keytab() - self.__set_kadmin_changepw_preauth() - - self.__export_kadmin_changepw_keytab() + self.__export_kadmin_changepw_keytab() self.__create_sample_bind_zone() + self.__add_pwd_extop_module() + self.start() def stop(self): @@ -185,7 +185,7 @@ class KrbInstance: pent = pwd.getpwnam(self.ds_user) os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) - def __set_kadmin_changepw_preauth(self): + def __export_kadmin_changepw_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("modprinc +requires_preauth kadmin/changepw\n") kwrite.flush() @@ -193,7 +193,6 @@ class KrbInstance: kread.close() kerr.close() - def __export_kadmin_changepw_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("ktadd -k /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw\n") kwrite.flush() @@ -201,6 +200,12 @@ class KrbInstance: kread.close() kerr.close() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") + cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") + cfg_fd.close() + pent = pwd.getpwnam(self.ds_user) + os.chown("/etc/sysconfig/ipa-kpasswd", pent.pw_uid, pent.pw_gid) + def __create_http_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") |