diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-09-21 10:09:50 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-09-22 16:34:51 +0200 |
commit | 0de860318332114ca739a8dd45902f7cc9a3c722 (patch) | |
tree | 263f68af3d14e3de65a3469bfb8240ecf71a1555 | |
parent | bdccebbcdb9eb7da476762743121c1e73f95fa10 (diff) | |
download | freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.gz freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.tar.xz freeipa-0de860318332114ca739a8dd45902f7cc9a3c722.zip |
install: create kdcproxy user during server install
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | freeipa.spec.in | 12 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 14 | ||||
-rw-r--r-- | ipaserver/install/ipa_restore.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 1 |
4 files changed, 18 insertions, 13 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index ab8af302a..7a199a5f7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -24,10 +24,6 @@ %define _hardened_build 1 -%define kdcproxy_user kdcproxy -%define kdcproxy_group kdcproxy -%define kdcproxy_home %{_sharedstatedir}/kdcproxy - Name: freeipa Version: __VERSION__ Release: __RELEASE__%{?dist} @@ -583,13 +579,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi -# create kdcproxy user -getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group} -getent passwd %{kdcproxy_user} >/dev/null || \ - /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \ - -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} -exit 0 - %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then @@ -726,7 +715,6 @@ fi %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy -%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home} %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 9354a22f5..73585114c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -51,6 +51,8 @@ SELINUX_BOOLEAN_SETTINGS = dict( httpd_run_ipa='on', ) +KDCPROXY_USER = 'kdcproxy' + def httpd_443_configured(): """ @@ -77,6 +79,17 @@ def httpd_443_configured(): return False + +def create_kdcproxy_user(): + """Create KDC proxy user/group if it doesn't exist yet.""" + tasks.create_system_user( + name=KDCPROXY_USER, + group=KDCPROXY_USER, + homedir=paths.VAR_LIB, + shell=paths.NOLOGIN, + ) + + class WebGuiInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "ipa_webgui") @@ -141,6 +154,7 @@ class HTTPInstance(service.Service): self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): + self.step("create KDC proxy user", create_kdcproxy_user) self.step("create KDC proxy config", self.create_kdcproxy_conf) self.step("enable KDC proxy", self.enable_kdcproxy) self.step("restarting httpd", self.__start) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index b7af88d99..6f24a4818 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -370,6 +370,7 @@ class Restore(admintool.AdminTool): self.restore_selinux_booleans() + http = httpinstance.HTTPInstance() # We do either a full file restore or we restore data. if restore_type == 'FULL': @@ -381,6 +382,8 @@ class Restore(admintool.AdminTool): self.cert_restore() if 'CA' in self.backup_services: self.__create_dogtag_log_dirs() + if http.is_kdcproxy_configured(): + httpinstance.create_kdcproxy_user() # Always restore the data from ldif # If we are restoring PKI-IPA then we need to restore the @@ -409,7 +412,6 @@ class Restore(admintool.AdminTool): self.log.info('Restarting SSSD') sssd = services.service('sssd') sssd.restart() - http = httpinstance.HTTPInstance() http.remove_httpd_ccache() finally: try: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 571e71b9e..4df621947 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1445,6 +1445,7 @@ def upgrade_configuration(): http.realm = api.env.realm http.suffix = ipautil.realm_to_suffix(api.env.realm) http.ldap_connect() + httpinstance.create_kdcproxy_user() http.create_kdcproxy_conf() http.enable_kdcproxy() |