install: create kdcproxy user during server install

This change makes kdcproxy user creation consistent with DS and CA user creation. Before, the user was created in the spec file, in %pre scriptlet of freeipa-server. https://fedorahosted.org/freeipa/ticket/5314 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2015-09-21 10:09:50 +0200
committer: Jan Cholasta <jcholast@redhat.com> 2015-09-22 16:34:51 +0200
commit: 0de860318332114ca739a8dd45902f7cc9a3c722 (patch)
tree: 263f68af3d14e3de65a3469bfb8240ecf71a1555
parent: bdccebbcdb9eb7da476762743121c1e73f95fa10 (diff)
download: freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.gz
freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.xz
freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.zip
4 files changed, 18 insertions, 13 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ab8af302a..7a199a5f7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,10 +24,6 @@
 
 %define _hardened_build 1
 
-%define kdcproxy_user kdcproxy
-%define kdcproxy_group kdcproxy
-%define kdcproxy_home %{_sharedstatedir}/kdcproxy
-
 Name:           freeipa
 Version:        __VERSION__
 Release:        __RELEASE__%{?dist}
@@ -583,13 +579,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
-# create kdcproxy user
-getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
-getent passwd %{kdcproxy_user} >/dev/null || \
-    /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
-    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
-exit 0
-
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
     if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -726,7 +715,6 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
-%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 9354a22f5..73585114c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -51,6 +51,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_run_ipa='on',
 )
 
+KDCPROXY_USER = 'kdcproxy'
+
 
 def httpd_443_configured():
     """
@@ -77,6 +79,17 @@ def httpd_443_configured():
 
     return False
 
+
+def create_kdcproxy_user():
+    """Create KDC proxy user/group if it doesn't exist yet."""
+    tasks.create_system_user(
+        name=KDCPROXY_USER,
+        group=KDCPROXY_USER,
+        homedir=paths.VAR_LIB,
+        shell=paths.NOLOGIN,
+    )
+
+
 class WebGuiInstance(service.SimpleServiceInstance):
     def __init__(self):
         service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -141,6 +154,7 @@ class HTTPInstance(service.Service):
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
         if not self.is_kdcproxy_configured():
+            self.step("create KDC proxy user", create_kdcproxy_user)
             self.step("create KDC proxy config", self.create_kdcproxy_conf)
             self.step("enable KDC proxy", self.enable_kdcproxy)
         self.step("restarting httpd", self.__start)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index b7af88d99..6f24a4818 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -370,6 +370,7 @@ class Restore(admintool.AdminTool):
 
                 self.restore_selinux_booleans()
 
+            http = httpinstance.HTTPInstance()
 
             # We do either a full file restore or we restore data.
             if restore_type == 'FULL':
@@ -381,6 +382,8 @@ class Restore(admintool.AdminTool):
                 self.cert_restore()
                 if 'CA' in self.backup_services:
                     self.__create_dogtag_log_dirs()
+                if http.is_kdcproxy_configured():
+                    httpinstance.create_kdcproxy_user()
 
             # Always restore the data from ldif
             # If we are restoring PKI-IPA then we need to restore the
@@ -409,7 +412,6 @@ class Restore(admintool.AdminTool):
                 self.log.info('Restarting SSSD')
                 sssd = services.service('sssd')
                 sssd.restart()
-                http = httpinstance.HTTPInstance()
                 http.remove_httpd_ccache()
         finally:
             try:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 571e71b9e..4df621947 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1445,6 +1445,7 @@ def upgrade_configuration():
             http.realm = api.env.realm
             http.suffix = ipautil.realm_to_suffix(api.env.realm)
             http.ldap_connect()
+        httpinstance.create_kdcproxy_user()
         http.create_kdcproxy_conf()
         http.enable_kdcproxy()
author	Jan Cholasta <jcholast@redhat.com>	2015-09-21 10:09:50 +0200
committer	Jan Cholasta <jcholast@redhat.com>	2015-09-22 16:34:51 +0200
commit	0de860318332114ca739a8dd45902f7cc9a3c722 (patch)
tree	263f68af3d14e3de65a3469bfb8240ecf71a1555
parent	bdccebbcdb9eb7da476762743121c1e73f95fa10 (diff)
download	freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.gz freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.xz freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.zip