Due to the work made during refactoring service installers, it should be possible to configure samba instance without any Kerberos credentials using only LDAPI and autobind as root.
We already fulfil some of the conditions required to safely use LDAPI/EXTERNAL for configuration:
1.) we run the installer only as root user
2.) LDAPI and autobind are safely configured by the time we get to configure samba service
3.) we either modify samba config file or registry via subprocesses
4.) we add relevant LDAP entries through API's ldap2 connection which can use ldapi/autobind by default if no ccache is supplied
We only need to modify the keytab retrieval code so that it reflects the enhancements made in ipa-getkeytab (#6409) and can actually retrieve CIFS principal keys via EXTERNAL mechanism.
This effort is a prerequisite for merging AD trust installer code into server/replica install as an optional component (since we are not guaranteed to have admin ccache during composite installer run).
The current code which re-kinits the privileged user to fetch TGT w/ MS-PAC blob attached in the standalone installer will be kept intact in order to preserve its original behavior.
master:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.5
Log in to comment on this ticket.