From d7f91dce493efc4e505ea758b073040716249561 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Jul 16 2015 11:41:08 +0000 Subject: oddjob: avoid chown keytab to sssd if sssd user does not exist If sssd user does not exist, it means SSSD does not run as sssd user. Currently SSSD has too tight check for keytab permissions and ownership. It assumes the keytab has to be owned by the same user it runs under and has to have 0600 permissions. ipa-getkeytab creates the file with right permissions and 'root:root' ownership. Jakub Hrozek promised to enhance SSSD keytab permissions check so that both sssd:sssd and root:root ownership is possible and then when SSSD switches to 'sssd' user, the former becomes the default. Since right now SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd' user in Fedora 22 / RHEL 7 environments, we can use its presence as a version trigger. https://fedorahosted.org/freeipa/ticket/5136 Reviewed-By: Tomas Babej --- diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 85e3cc9..e50c81e 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): env={'KRB5CCNAME': ccache_name, 'LANG': 'C'}, raiseonerr=False) # Make sure SSSD is able to read the keytab - sssd = pwd.getpwnam('sssd') - os.chown(oneway_keytab_name, sssd[2], sssd[3]) + try: + sssd = pwd.getpwnam('sssd') + os.chown(oneway_keytab_name, sssd[2], sssd[3]) + except KeyError as e: + # If user 'sssd' does not exist, we don't need to chown from root to sssd + # because it means SSSD does not run as sssd user + pass def parse_options():