diff options
-rw-r--r-- | install/share/bootstrap-template.ldif | 1 | ||||
-rw-r--r-- | install/share/replica-s4u2proxy.ldif | 6 | ||||
-rw-r--r-- | install/updates/60-trusts.update | 4 | ||||
-rw-r--r-- | install/updates/61-trusts-s4u2proxy.update | 9 | ||||
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 46 |
5 files changed, 42 insertions, 24 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 24804e475..a17f2518f 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -195,7 +195,6 @@ changetype: add objectClass: groupOfPrincipals objectClass: top cn: ipa-cifs-delegation-targets -memberPrincipal: cifs/$HOST@$REALM dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add diff --git a/install/share/replica-s4u2proxy.ldif b/install/share/replica-s4u2proxy.ldif index 98de46fa7..c7ced5ee2 100644 --- a/install/share/replica-s4u2proxy.ldif +++ b/install/share/replica-s4u2proxy.ldif @@ -12,9 +12,3 @@ dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: modify add: memberPrincipal memberPrincipal: ldap/$FQDN@$REALM - -dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX -changetype: modify -add: memberPrincipal -memberPrincipal: cifs/$FQDN@$REALM - diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index cc9a771df..bf2c58daa 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -40,10 +40,6 @@ dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX default: objectClass: GroupOfNames default: objectClass: top default: cn: adtrust agents -default: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX - -dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX -add: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX dn: cn=trusts,$SUFFIX default: objectClass: top diff --git a/install/updates/61-trusts-s4u2proxy.update b/install/updates/61-trusts-s4u2proxy.update index 4a71148bc..7504a068e 100644 --- a/install/updates/61-trusts-s4u2proxy.update +++ b/install/updates/61-trusts-s4u2proxy.update @@ -1,12 +1,7 @@ -dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX -add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' - dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX default: objectClass: groupOfPrincipals default: objectClass: top default: cn: ipa-cifs-delegation-targets -default: memberPrincipal: cifs/$FQDN@$REALM - -dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX -add: memberPrincipal: cifs/$FQDN@$REALM +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index d86f9f514..b74f4b685 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -52,6 +52,13 @@ change with the command: Try updating the policycoreutils and selinux-policy packages. """ +UPGRADE_ERROR = """ +Entry %(dn)s does not exist. +This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy +configuration was not set up properly. Please run ipa-ldap-updater manually +and re-run ipa-adtrust-instal again afterwards. +""" + def check_inst(): for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']: if not os.path.exists(smbfile): @@ -382,6 +389,25 @@ class ADTRUSTInstance(service.Service): self.__add_plugin_conf('Extdom', 'ipa_extdom_extop', 'ipa-extdom-extop-conf.ldif') + def __add_s4u2proxy_target(self): + """ + Add CIFS principal to S4U2Proxy target + """ + + targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'), + ('cn', 'etc'), self.suffix) + try: + targets = self.admin_conn.getEntry(targets_dn, ldap.SCOPE_BASE) + current = ipaldap.Entry((targets_dn, targets.toDict())) + members = current.getValues('memberPrincipal') or [] + if not(self.cifs_principal in members): + current.setValues("memberPrincipal", members + [self.cifs_principal]) + self.admin_conn.updateEntry(targets_dn, targets.toDict(), current.toDict()) + else: + self.print_msg('cifs principal already targeted, nothing to do.') + except errors.NotFound: + self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn)) + def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) @@ -402,12 +428,19 @@ class ADTRUSTInstance(service.Service): # Add the principal to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent - entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) - current = ipaldap.Entry(self.smb_dn, entry.toDict()) - if not('member' in current): - current['member'] = [] - entry.setValues("member", current['member'] + [self.cifs_agent]) - self.admin_conn.updateEntry(self.smb_dn, current, entry) + try: + entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + current = ipaldap.Entry((self.smb_dn, entry.toDict())) + members = current.getValues('member') or [] + if not(self.cifs_agent in members): + current.setValues("member", members + [self.cifs_agent]) + self.admin_conn.updateEntry(self.smb_dn, entry.toDict(), current.toDict()) + except errors.NotFound: + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["top", "GroupOfNames"]) + entry.setValues("cn", self.smb_dn['cn']) + entry.setValues("member", [self.cifs_agent]) + self.admin_conn.addEntry(entry) except Exception, e: # CIFS principal already exists, it is not the first time adtrustinstance is managed # That's fine, we we'll re-extract the key again. @@ -703,6 +736,7 @@ class ADTRUSTInstance(service.Service): self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) + self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("adding RID bases", self.__add_rid_bases) self.step("updating Kerberos config", self.__update_krb5_conf) |