diff options
author | Simo Sorce <simo@redhat.com> | 2016-11-29 11:10:22 -0500 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | d2f5fc304f1938d23171ae330fa20b213ceed54e (patch) | |
tree | b77e05211632aef8e08cb3cd937d8498d9391ed5 /ipaserver | |
parent | b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (diff) | |
download | freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.gz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.xz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.zip |
Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/httpinstance.py | 24 | ||||
-rw-r--r-- | ipaserver/install/ipa_backup.py | 2 | ||||
-rw-r--r-- | ipaserver/install/ipa_restore.py | 2 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 10 | ||||
-rw-r--r-- | ipaserver/install/service.py | 3 |
5 files changed, 29 insertions, 12 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index d07b32253..dddf097c0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -129,10 +129,11 @@ class HTTPInstance(service.Service): api=api, service_prefix=u'HTTP', service_user=HTTPD_USER, - keytab=paths.IPA_KEYTAB) + keytab=paths.HTTP_KEYTAB) self.cert_nickname = cert_nickname self.ca_is_configured = True + self.keytab_user = constants.GSSPROXY_USER subject_base = ipautil.dn_attribute_property('_subject_base') @@ -169,13 +170,15 @@ class HTTPInstance(service.Service): self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self._request_service_keytab) self.step("retrieving anonymous keytab", self.request_anon_keytab) + self.step("configuring Gssproxy", self.configure_gssproxy) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) - self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): self.step("create KDC proxy user", create_kdcproxy_user) @@ -205,13 +208,13 @@ class HTTPInstance(service.Service): except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('web interface')) - def remove_httpd_ccache(self): - # Clean up existing ccache + def remove_httpd_ccaches(self): + # Clean up existing ccaches # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env - ipautil.run( - [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False, - env={}) + installutils.remove_file(paths.HTTP_CCACHE) + for f in os.listdir(paths.IPA_CCACHES): + os.remove(os.path.join(paths.IPA_CCACHES, f)) def __configure_http(self): self.update_httpd_service_ipa_conf() @@ -235,6 +238,10 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0o644) + def configure_gssproxy(self): + tasks.configure_http_gssproxy_conf() + services.knownservices.gssproxy.restart() + def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss @@ -541,8 +548,7 @@ class HTTPInstance(service.Service): root_logger.debug(error) installutils.remove_keytab(self.keytab) - installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, - run_as=self.service_user) + installutils.remove_file(paths.HTTP_CCACHE) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 4ba61e529..b2f2e2a9f 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -141,7 +141,7 @@ class Backup(admintool.AdminTool): paths.OPENLDAP_LDAP_CONF, paths.LIMITS_CONF, paths.HTTPD_PASSWORD_CONF, - paths.IPA_KEYTAB, + paths.HTTP_KEYTAB, paths.HTTPD_IPA_KDCPROXY_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_REWRITE_CONF, diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 89cf9e609..d798654ea 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -413,7 +413,7 @@ class Restore(admintool.AdminTool): self.log.info('Restarting SSSD') sssd = services.service('sssd', api) sssd.restart() - http.remove_httpd_ccache() + http.remove_httpd_ccaches() finally: try: os.chdir(cwd) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 80abeba53..6919f521e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1431,6 +1431,14 @@ def update_ipa_httpd_service_conf(http): http.update_httpd_service_ipa_conf() +def update_http_keytab(http): + root_logger.info('[Moving HTTPD service keytab to gssproxy]') + if os.path.exists(paths.OLD_IPA_KEYTAB): + shutil.move(paths.OLD_IPA_KEYTAB, http.keytab) + pent = pwd.getpwnam(http.keytab_user) + os.chown(http.keytab, pent.pw_uid, pent.pw_gid) + + def ds_enable_sidgen_extdom_plugins(ds): """For AD trust agents, make sure we enable sidgen and extdom plugins """ @@ -1629,6 +1637,8 @@ def upgrade_configuration(): update_mod_nss_cipher_suite(http) fix_trust_flags() export_kra_agent_pem() + update_http_keytab(http) + http.configure_gssproxy() http.start() uninstall_selfsign(ds, http) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index fe6defc9c..b9d1ffc63 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -166,6 +166,7 @@ class Service(object): self.dercert = None self.api = api self.service_user = service_user + self.keytab_user = service_user self.dm_password = None # silence pylint self.promote = False @@ -584,7 +585,7 @@ class Service(object): self._add_service_principal() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - pent = pwd.getpwnam(self.service_user) + pent = pwd.getpwnam(self.keytab_user) os.chown(self.keytab, pent.pw_uid, pent.pw_gid) |