Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install

Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
author: Alexander Bokovoy <abokovoy@redhat.com> 2012-10-08 13:27:16 +0300
committer: Rob Crittenden <rcritten@redhat.com> 2012-10-09 18:15:25 -0400
commit: c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3 (patch)
tree: 2d858c46d649149f3a11a602c613700945537cfd /ipaserver
parent: 50e55b012ecf533c190536a364c72c961c070f9f (diff)
download: freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.tar.gz
freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.tar.xz
freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.zip
1 files changed, 40 insertions, 6 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d86f9f51..b74f4b68 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -52,6 +52,13 @@ change with the command:
 Try updating the policycoreutils and selinux-policy packages.
 """
 
+UPGRADE_ERROR = """
+Entry %(dn)s does not exist.
+This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy
+configuration was not set up properly. Please run ipa-ldap-updater manually
+and re-run ipa-adtrust-instal again afterwards.
+"""
+
 def check_inst():
     for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
         if not os.path.exists(smbfile):
@@ -382,6 +389,25 @@ class ADTRUSTInstance(service.Service):
         self.__add_plugin_conf('Extdom', 'ipa_extdom_extop',
                                'ipa-extdom-extop-conf.ldif')
 
+    def __add_s4u2proxy_target(self):
+        """
+        Add CIFS principal to S4U2Proxy target
+        """
+
+        targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'),
+                        ('cn', 'etc'), self.suffix)
+        try:
+            targets = self.admin_conn.getEntry(targets_dn, ldap.SCOPE_BASE)
+            current = ipaldap.Entry((targets_dn, targets.toDict()))
+            members = current.getValues('memberPrincipal') or []
+            if not(self.cifs_principal in members):
+                current.setValues("memberPrincipal", members + [self.cifs_principal])
+                self.admin_conn.updateEntry(targets_dn, targets.toDict(), current.toDict())
+            else:
+                self.print_msg('cifs principal already targeted, nothing to do.')
+        except errors.NotFound:
+            self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn))
+
     def __write_smb_registry(self):
         template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
         conf = ipautil.template_file(template, self.sub_dict)
@@ -402,12 +428,19 @@ class ADTRUSTInstance(service.Service):
             # Add the principal to the 'adtrust agents' group
             # as 389-ds only operates with GroupOfNames, we have to use
             # the principal's proper dn as defined in self.cifs_agent
-            entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
-            current = ipaldap.Entry(self.smb_dn, entry.toDict())
-            if not('member' in current):
-                current['member'] = []
-            entry.setValues("member", current['member'] + [self.cifs_agent])
-            self.admin_conn.updateEntry(self.smb_dn, current, entry)
+            try:
+                entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
+                current = ipaldap.Entry((self.smb_dn, entry.toDict()))
+                members = current.getValues('member') or []
+                if not(self.cifs_agent in members):
+                    current.setValues("member", members + [self.cifs_agent])
+                    self.admin_conn.updateEntry(self.smb_dn, entry.toDict(), current.toDict())
+            except errors.NotFound:
+                entry = ipaldap.Entry(self.smb_dn)
+                entry.setValues("objectclass", ["top", "GroupOfNames"])
+                entry.setValues("cn", self.smb_dn['cn'])
+                entry.setValues("member", [self.cifs_agent])
+                self.admin_conn.addEntry(entry)
         except Exception, e:
             # CIFS principal already exists, it is not the first time adtrustinstance is managed
             # That's fine, we we'll re-extract the key again.
@@ -703,6 +736,7 @@ class ADTRUSTInstance(service.Service):
         self.step("creating samba config registry", self.__write_smb_registry)
         self.step("writing samba config file", self.__write_smb_conf)
         self.step("adding cifs Kerberos principal", self.__setup_principal)
+        self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
         self.step("adding admin(group) SIDs", self.__add_admin_sids)
         self.step("adding RID bases", self.__add_rid_bases)
         self.step("updating Kerberos config", self.__update_krb5_conf)
author	Alexander Bokovoy <abokovoy@redhat.com>	2012-10-08 13:27:16 +0300
committer	Rob Crittenden <rcritten@redhat.com>	2012-10-09 18:15:25 -0400
commit	c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3 (patch)
tree	2d858c46d649149f3a11a602c613700945537cfd /ipaserver
parent	50e55b012ecf533c190536a364c72c961c070f9f (diff)
download	freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.tar.gz freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.tar.xz freeipa.git-c2a62b9433c6554c06ae28ce535c78f9a1fe7fb3.zip