From 7ccf59111d9cb0d9972d71bdc93ed7d8d006e92b Mon Sep 17 00:00:00 2001 From: William Brown Date: Nov 25 2019 02:15:30 +0000 Subject: Ticket 50729 - add support for gssapi tests on suse Bug Description: suse has different paths for it's krb tools. Fix Description: Allow supporting different paths based on distro detection. https://pagure.io/389-ds-base/issue/50729 Author: William Brown Review by: vashirov, mreynolds (Thanks!) --- diff --git a/dirsrvtests/tests/suites/gssapi/simple_gssapi_test.py b/dirsrvtests/tests/suites/gssapi/simple_gssapi_test.py index 7f66a2a..be6f68a 100644 --- a/dirsrvtests/tests/suites/gssapi/simple_gssapi_test.py +++ b/dirsrvtests/tests/suites/gssapi/simple_gssapi_test.py @@ -97,7 +97,7 @@ def test_missing_user(topology_st_gssapi): st.realm.create_principal("doesnotexist") st.realm.create_keytab("doesnotexist", "/tmp/doesnotexist.keytab") # Now try to bind. - subprocess.call(['/usr/bin/kdestroy', '-A']) + subprocess.call(['kdestroy', '-A']) os.environ["KRB5_CLIENT_KTNAME"] = "/tmp/doesnotexist.keytab" conn = ldap.initialize(st.toLDAPURL()) diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in index 6f4a1e1..53f3a0b 100644 --- a/rpm/389-ds-base.spec.in +++ b/rpm/389-ds-base.spec.in @@ -294,6 +294,7 @@ Requires: openssl Requires: openssl-perl Requires: iproute Requires: python%{python3_pkgversion} +Requires: python%{python3_pkgversion}-distro Requires: python%{python3_pkgversion}-pytest Requires: python%{python3_pkgversion}-ldap Requires: python%{python3_pkgversion}-six diff --git a/src/lib389/lib389/idm/account.py b/src/lib389/lib389/idm/account.py index c95e7a9..8a9e36d 100644 --- a/src/lib389/lib389/idm/account.py +++ b/src/lib389/lib389/idm/account.py @@ -240,8 +240,8 @@ class Account(DSLdapObject): Bind this account with gssapi credntials (if available) """ assert self._instance.realm is not None - # Kill any local ccache. - subprocess.call(['/usr/bin/kdestroy', '-A']) + # Kill any local kerberos ccache. + subprocess.call(['kdestroy', '-A']) # This uses an in memory once off ccache. os.environ["KRB5_CLIENT_KTNAME"] = self._keytab diff --git a/src/lib389/lib389/mit_krb5.py b/src/lib389/lib389/mit_krb5.py index fe37387..7808713 100644 --- a/src/lib389/lib389/mit_krb5.py +++ b/src/lib389/lib389/mit_krb5.py @@ -20,6 +20,7 @@ import signal import string import random import subprocess +import distro from lib389._constants import * from socket import getfqdn @@ -33,17 +34,31 @@ class MitKrb5(object): def __init__(self, realm, warnings=False, debug=False): self.warnings = warnings self.realm = realm.upper() - # For the future if we have a non-os krb install. self.krb_prefix = "" sep = os.path.sep - self.kadmin = os.path.join(sep, self.krb_prefix, "usr/sbin/kadmin.local") - self.kdb5_util = os.path.join(sep, self.krb_prefix, "usr/sbin/kdb5_util") - self.krb5kdc = os.path.join(sep, self.krb_prefix, "usr/sbin/krb5kdc") - self.kdcconf = os.path.join(sep, self.krb_prefix, "var/kerberos/krb5kdc/kdc.conf") - self.kdcpid = os.path.join(sep, self.krb_prefix, "var/run/krb5kdc.pid") - self.krb5conf = os.path.join(sep, self.krb_prefix, "etc/krb5.conf") - self.krb5confrealm = os.path.join(sep, self.krb_prefix, "etc/krb5.conf.d", - self.realm.lower().replace('.', '-')) + # For the future if we have a non-os krb install. + if 'suse' in distro.like(): + self.kadmin = os.path.join(sep, self.krb_prefix, "usr/lib/mit/sbin/kadmin.local") + self.kdb5_util = os.path.join(sep, self.krb_prefix, "usr/lib/mit/sbin/kdb5_util") + self.krb5kdc = os.path.join(sep, self.krb_prefix, "usr/lib/mit/sbin/krb5kdc") + self.kdcconf = os.path.join(sep, self.krb_prefix, "var/lib/kerberos/krb5kdc/kdc.conf") + self.kadm5acl = os.path.join(sep, self.krb_prefix, "var/lib/kerberos/krb5kdc/kadm5.acl") + self.kadm5keytab = os.path.join(sep, self.krb_prefix, "var/lib/kerberos/krb5kdc/kadm5.keytab") + self.kdcpid = os.path.join(sep, self.krb_prefix, "var/run/krb5kdc.pid") + self.krb5conf = os.path.join(sep, self.krb_prefix, "etc/krb5.conf") + self.krb5confrealm = os.path.join(sep, self.krb_prefix, "etc/krb5.conf.d", + self.realm.lower().replace('.', '-')) + else: + self.kadmin = os.path.join(sep, self.krb_prefix, "usr/sbin/kadmin.local") + self.kdb5_util = os.path.join(sep, self.krb_prefix, "usr/sbin/kdb5_util") + self.krb5kdc = os.path.join(sep, self.krb_prefix, "usr/sbin/krb5kdc") + self.kdcconf = os.path.join(sep, self.krb_prefix, "var/kerberos/krb5kdc/kdc.conf") + self.kadm5acl = os.path.join(sep, self.krb_prefix, "var/kerberos/krb5kdc/kadm5.acl") + self.kadm5keytab = os.path.join(sep, self.krb_prefix, "var/kerberos/krb5kdc/kadm5.keytab") + self.kdcpid = os.path.join(sep, self.krb_prefix, "var/run/krb5kdc.pid") + self.krb5conf = os.path.join(sep, self.krb_prefix, "etc/krb5.conf") + self.krb5confrealm = os.path.join(sep, self.krb_prefix, "etc/krb5.conf.d", + self.realm.lower().replace('.', '-')) self.krb_master_password = password_generate() @@ -133,14 +148,14 @@ class MitKrb5(object): [realms] {REALM} = {{ - acl_file = {PREFIX}/var/kerberos/krb5kdc/kadm5.acl + acl_file = {KADM5ACL} dict_file = /usr/share/dict/words - admin_keytab = {PREFIX}/var/kerberos/krb5kdc/kadm5.keytab + admin_keytab = {KADM5KEYTAB} # Just use strong enctypes # supported_enctypes = aes256-cts:normal aes128-cts:normal }} -""".format(REALM=self.realm, PREFIX=self.krb_prefix)) +""".format(REALM=self.realm, PREFIX=self.krb_prefix, KADM5ACL=self.kadm5acl, KADM5KEYTAB=self.kadm5keytab)) # Invoke kdb5_util # Can this use -P p = Popen([self.kdb5_util, 'create', '-r', self.realm, '-s', '-P', diff --git a/src/lib389/requirements.txt b/src/lib389/requirements.txt index eb2475f..760eaae 100644 --- a/src/lib389/requirements.txt +++ b/src/lib389/requirements.txt @@ -7,3 +7,4 @@ argcomplete argparse-manpage python-ldap setuptools +distro diff --git a/src/lib389/setup.py b/src/lib389/setup.py index 0561739..123348a 100644 --- a/src/lib389/setup.py +++ b/src/lib389/setup.py @@ -83,6 +83,7 @@ setup( 'argparse-manpage', 'python-ldap', 'setuptools', + 'distro', ], cmdclass={