5 files changed, 42 insertions, 24 deletions

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 24804e475..a17f2518f 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -195,7 +195,6 @@ changetype: add
 objectClass: groupOfPrincipals
 objectClass: top
 cn: ipa-cifs-delegation-targets
-memberPrincipal: cifs/$HOST@$REALM
 
 dn: uid=admin,cn=users,cn=accounts,$SUFFIX
 changetype: add
diff --git a/install/share/replica-s4u2proxy.ldif b/install/share/replica-s4u2proxy.ldif
index 98de46fa7..c7ced5ee2 100644
--- a/install/share/replica-s4u2proxy.ldif
+++ b/install/share/replica-s4u2proxy.ldif
@@ -12,9 +12,3 @@ dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: modify
 add: memberPrincipal
 memberPrincipal: ldap/$FQDN@$REALM
-
-dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
-changetype: modify
-add: memberPrincipal
-memberPrincipal: cifs/$FQDN@$REALM
-
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index cc9a771df..bf2c58daa 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -40,10 +40,6 @@ dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
 default: objectClass: GroupOfNames
 default: objectClass: top
 default: cn: adtrust agents
-default: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
-
-dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
-add: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
 
 dn: cn=trusts,$SUFFIX
 default: objectClass: top
diff --git a/install/updates/61-trusts-s4u2proxy.update b/install/updates/61-trusts-s4u2proxy.update
index 4a71148bc..7504a068e 100644
--- a/install/updates/61-trusts-s4u2proxy.update
+++ b/install/updates/61-trusts-s4u2proxy.update
@@ -1,12 +1,7 @@
-dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
-add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
-
 dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 default: objectClass: groupOfPrincipals
 default: objectClass: top
 default: cn: ipa-cifs-delegation-targets
-default: memberPrincipal: cifs/$FQDN@$REALM
-
-dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
-add: memberPrincipal: cifs/$FQDN@$REALM
 
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d86f9f514..b74f4b685 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -52,6 +52,13 @@ change with the command:
 Try updating the policycoreutils and selinux-policy packages.
 """
 
+UPGRADE_ERROR = """
+Entry %(dn)s does not exist.
+This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy
+configuration was not set up properly. Please run ipa-ldap-updater manually
+and re-run ipa-adtrust-instal again afterwards.
+"""
+
 def check_inst():
     for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
         if not os.path.exists(smbfile):
@@ -382,6 +389,25 @@ class ADTRUSTInstance(service.Service):
         self.__add_plugin_conf('Extdom', 'ipa_extdom_extop',
                                'ipa-extdom-extop-conf.ldif')
 
+    def __add_s4u2proxy_target(self):
+        """
+        Add CIFS principal to S4U2Proxy target
+        """
+
+        targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'),
+                        ('cn', 'etc'), self.suffix)
+        try:
+            targets = self.admin_conn.getEntry(targets_dn, ldap.SCOPE_BASE)
+            current = ipaldap.Entry((targets_dn, targets.toDict()))
+            members = current.getValues('memberPrincipal') or []
+            if not(self.cifs_principal in members):
+                current.setValues("memberPrincipal", members + [self.cifs_principal])
+                self.admin_conn.updateEntry(targets_dn, targets.toDict(), current.toDict())
+            else:
+                self.print_msg('cifs principal already targeted, nothing to do.')
+        except errors.NotFound:
+            self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn))
+
     def __write_smb_registry(self):
         template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
         conf = ipautil.template_file(template, self.sub_dict)
@@ -402,12 +428,19 @@ class ADTRUSTInstance(service.Service):
             # Add the principal to the 'adtrust agents' group
             # as 389-ds only operates with GroupOfNames, we have to use
             # the principal's proper dn as defined in self.cifs_agent
-            entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
-            current = ipaldap.Entry(self.smb_dn, entry.toDict())
-            if not('member' in current):
-                current['member'] = []
-            entry.setValues("member", current['member'] + [self.cifs_agent])
-            self.admin_conn.updateEntry(self.smb_dn, current, entry)
+            try:
+                entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
+                current = ipaldap.Entry((self.smb_dn, entry.toDict()))
+                members = current.getValues('member') or []
+                if not(self.cifs_agent in members):
+                    current.setValues("member", members + [self.cifs_agent])
+                    self.admin_conn.updateEntry(self.smb_dn, entry.toDict(), current.toDict())
+            except errors.NotFound:
+                entry = ipaldap.Entry(self.smb_dn)
+                entry.setValues("objectclass", ["top", "GroupOfNames"])
+                entry.setValues("cn", self.smb_dn['cn'])
+                entry.setValues("member", [self.cifs_agent])
+                self.admin_conn.addEntry(entry)
         except Exception, e:
             # CIFS principal already exists, it is not the first time adtrustinstance is managed
             # That's fine, we we'll re-extract the key again.
@@ -703,6 +736,7 @@ class ADTRUSTInstance(service.Service):
         self.step("creating samba config registry", self.__write_smb_registry)
         self.step("writing samba config file", self.__write_smb_conf)
         self.step("adding cifs Kerberos principal", self.__setup_principal)
+        self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
         self.step("adding admin(group) SIDs", self.__add_admin_sids)
         self.step("adding RID bases", self.__add_rid_bases)
         self.step("updating Kerberos config", self.__update_krb5_conf)