From 766b534da0c3a1ed09fe187323eaae0440eb7784 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 7 Dec 2009 23:17:00 -0500 Subject: Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead. --- ipaserver/install/bindinstance.py | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) (limited to 'ipaserver/install/bindinstance.py') diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e2edcd39..9150c8ed 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -201,6 +201,7 @@ class BindInstance(service.Service): # Store the keytab on disk self.fstore.backup_file("/etc/named.keytab") installutils.create_keytab("/etc/named.keytab", dns_principal) + dns_principal = self.move_service(dns_principal) # Make sure access is strictly reserved to the named user pent = pwd.getpwnam(self.named_user) @@ -220,17 +221,8 @@ class BindInstance(service.Service): logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) raise e - dns_princ_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (dns_principal, self.realm, self.suffix) - mod = [(ldap.MOD_ADD, 'objectClass', 'ipaService')] - - try: - conn.modify_s(dns_princ_dn, mod) - except Exception, e: - logging.critical("Could not modify principal's %s entry" % dns_principal) - raise e - dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix - mod = [(ldap.MOD_ADD, 'member', dns_princ_dn)] + mod = [(ldap.MOD_ADD, 'member', dns_principal)] try: conn.modify_s(dns_group, mod) -- cgit