adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab #457
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abbra
reviewed
Feb 10, 2017
ipaserver/install/adtrustinstance.py
Outdated
|
|
||
| def _clean_previous_keytab(self): | ||
| """ | ||
| Purge old CIFS keys from /etc/krb5.keytab and clean up samba ccache |
There was a problem hiding this comment.
Samba does not use /etc/krb5.keytab. Instead, Samba has own keytab in /etc/samba/samba.keytab.
ipaserver/install/adtrustinstance.py
Outdated
| % self.principal) | ||
| def _set_keytab_owner(self): | ||
| """ | ||
| Do not re-set ownership of /etc/krb5.keytab |
There was a problem hiding this comment.
Same here -- Samba uses /etc/samba/samba.keytab. That keytab file should be root:root.
martbab
force-pushed
the
adtrust-installer-keytab-via-ldapi
branch
from
5422ffa
to
5322384
Compare
|
Sorry I just got confused for a bit. Fixed the docstring now refer only to 'samba keytab'. |
added 4 commits
February 17, 2017 16:30
The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638
a cosmetic change: we had private method comprising of calls to public ones, which did not make much sense in our case https://fedorahosted.org/freeipa/ticket/6638
adtrustinstance will now use parent's methods to retrieve keys for CIFS principal. Since the keys are appended to the host keytab (/etc/krb5.keytab) we need to make sure that only the stale CIFS keys are purged from the file and that we do not re-set its ownership. https://fedorahosted.org/freeipa/ticket/6638
martbab
force-pushed
the
adtrust-installer-keytab-via-ldapi
branch
from
5322384
to
5d0bed6
Compare
|
I have added some commits to cope with changes made during privliege spearation work |
|
Bump for review. |
MartinBasti
added
ack
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to be able to function as a part of composite installer, samba
configuration code must be able to work without admin credentials. This
requires changes in the CIFS principal key retrieval method so that it is not
bound to the presence of privileged user ccache. This is achieved by slightly
altering and re-using the recently developed code for service keytab retrieval.
https://fedorahosted.org/freeipa/ticket/6638