From 80be759fdced6e34701519b00f4a29466b1492eb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sep 11 2019 09:23:47 +0000 Subject: Move certauth configuration into a server krb5.conf template Signed-off-by: Robbie Harwood Reviewed-By: Alexander Bokovoy Reviewed-By: Simo Sorce Reviewed-By: Robbie Harwood --- diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 2cc9626..ec76d4a 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -51,6 +51,7 @@ dist_app_DATA = \ kdc_extensions.template \ kdc_req.conf.template \ krb5.conf.template \ + freeipa-server.template \ krb5.ini.template \ krb.con.template \ krbrealm.con.template \ diff --git a/install/share/freeipa-server.template b/install/share/freeipa-server.template new file mode 100644 index 0000000..f6d1a39 --- /dev/null +++ b/install/share/freeipa-server.template @@ -0,0 +1,5 @@ +[plugins] + certauth = { + module = ipakdb:kdb/ipadb.so + enable_only = ipakdb + } diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 3d291b9..34acbe0 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -74,6 +74,7 @@ class BasePathNamespace: COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/" KRB5_CONF = "/etc/krb5.conf" KRB5_FREEIPA = COMMON_KRB5_CONF_DIR + "freeipa" + KRB5_FREEIPA_SERVER = COMMON_KRB5_CONF_DIR + "freeipa-server" KRB5_KEYTAB = "/etc/krb5.keytab" LDAP_CONF = "/etc/ldap.conf" LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf" diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 437e469..22d07df 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -349,6 +349,7 @@ class KrbInstance(service.Service): def __configure_instance(self): self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) self.__template_file(paths.KRB5_CONF) + self.__template_file(paths.KRB5_FREEIPA_SERVER) self.__template_file(paths.KRB5_FREEIPA, client_template=True) self.__template_file(paths.HTML_KRB5_INI) self.__template_file(paths.KRB_CON) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0d0469a..90e203a 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1654,36 +1654,17 @@ def setup_spake(krb): aug.close() -def enable_certauth(krb): - logger.info("[Enable certauth]") - - aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, - loadpath=paths.USR_SHARE_IPA_DIR) - try: - aug.transform('IPAKrb5', paths.KRB5_CONF) - aug.load() - - path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF) - modified = False - - if not aug.match(path): - aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so') - aug.set('{}/enable_only'.format(path), 'ipakdb') - modified = True - - if modified: - try: - aug.save() - except IOError: - for error_path in aug.match('/augeas//error'): - logger.error('augeas: %s', aug.get(error_path)) - raise +# Currently, this doesn't support templating. +def enable_server_snippet(): + logger.info("[Enable server krb5.conf snippet]") + template = os.path.join( + paths.USR_SHARE_IPA_DIR, + os.path.basename(paths.KRB5_FREEIPA_SERVER) + ".template" + ) + shutil.copy(template, paths.KRB5_FREEIPA_SERVER) + os.chmod(paths.KRB5_FREEIPA_SERVER, 0o644) - if krb.is_running(): - krb.stop() - krb.start() - finally: - aug.close() + tasks.restore_context(paths.KRB5_FREEIPA_SERVER) def ntpd_cleanup(fqdn, fstore): @@ -2144,7 +2125,7 @@ def upgrade_configuration(): krb.add_anonymous_principal() setup_spake(krb) setup_pkinit(krb) - enable_certauth(krb) + enable_server_snippet() if not ds_running: ds.stop(ds.serverid)