Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trust upgrade: ensure that host is member of adtrust agents #3977

Closed
wants to merge 1 commit into from
Closed

trust upgrade: ensure that host is member of adtrust agents #3977

wants to merge 1 commit into from

Conversation

flo-renaud
Copy link
Contributor

After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:

  • krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
  • fqdn=hostname,cn=computers,cn=accounts,basedn

Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777

@flo-renaud
trust upgrade: ensure that host is member of adtrust agents
0d7ae71 
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn

Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
@abbra
Copy link
Contributor

abbra commented Dec 4, 2019

LGTM. For adtrust controller, we add both cifs principal and host principal already in ipaserver/install/adtrustinstance.py:ADTRUSTInstance.__setup_group_membership(), so this should be enough to fix situations where host principal is missing.

@abbra abbra added ipa-4-6 Mark for backport to ipa 4.6 ipa-4-7 ipa-4-8 Mark for backport to ipa 4.8 ack Pull Request approved, can be merged labels Dec 4, 2019
@flo-renaud flo-renaud added the pushed Pull Request has already been pushed label Dec 4, 2019
@flo-renaud
Copy link
Contributor Author

master:

  • 2c9b212 trust upgrade: ensure that host is member of adtrust agents

@flo-renaud flo-renaud closed this Dec 4, 2019
This was referenced Dec 4, 2019
Closed
Closed
Closed
@flo-renaud flo-renaud deleted the adtrust branch December 4, 2019 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-6 Mark for backport to ipa 4.6 ipa-4-8 Mark for backport to ipa 4.8 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@flo-renaud @abbra