|
 |
937546 |
From 4fd15ef7c4059e8010e54b014795f20ba459fc3f Mon Sep 17 00:00:00 2001
|
|
|
b58328 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b58328 |
Date: Tue, 3 Dec 2019 12:56:22 +0100
|
|
|
b58328 |
Subject: [PATCH] trust upgrade: ensure that host is member of adtrust agents
|
|
|
b58328 |
|
|
|
b58328 |
After an upgrade, the group cn=adtrust agents may be missing some members.
|
|
|
b58328 |
Each ad trust controller must appear twice as member:
|
|
|
b58328 |
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
|
|
|
b58328 |
- fqdn=hostname,cn=computers,cn=accounts,basedn
|
|
|
b58328 |
|
|
|
b58328 |
Add an upgrade plugin that builds a list of hostnames from the cifs
|
|
|
b58328 |
principals and adds if needed fqdn=hostname...
|
|
|
b58328 |
|
|
|
b58328 |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
|
|
|
b58328 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b58328 |
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
|
b58328 |
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
|
b58328 |
---
|
|
|
b58328 |
.../updates/90-post_upgrade_plugins.update | 1 +
|
|
|
b58328 |
ipaserver/install/plugins/adtrust.py | 55 +++++++++++++++++++
|
|
|
b58328 |
2 files changed, 56 insertions(+)
|
|
|
b58328 |
|
|
|
b58328 |
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
|
|
937546 |
index e3afb3423ccaf1598bc0a0e982a5264781fd81a4..4ba8b845276c60c719fe8fcef9c457aa2deba61f 100644
|
|
|
b58328 |
--- a/install/updates/90-post_upgrade_plugins.update
|
|
|
b58328 |
+++ b/install/updates/90-post_upgrade_plugins.update
|
|
|
b58328 |
@@ -13,6 +13,7 @@ plugin: update_default_trust_view
|
|
|
b58328 |
plugin: update_tdo_gidnumber
|
|
|
b58328 |
plugin: update_tdo_to_new_layout
|
|
|
b58328 |
plugin: update_tdo_default_read_keys_permissions
|
|
|
b58328 |
+plugin: update_adtrust_agents_members
|
|
|
b58328 |
plugin: update_ca_renewal_master
|
|
|
b58328 |
plugin: update_idrange_type
|
|
|
b58328 |
plugin: update_pacs
|
|
|
b58328 |
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
|
|
937546 |
index c0de12eca903a6635f4b53b0806a0ba07170b7c6..dd6c25e9f14b161bda3bce5cc8ed260fae109db4 100644
|
|
|
b58328 |
--- a/ipaserver/install/plugins/adtrust.py
|
|
|
b58328 |
+++ b/ipaserver/install/plugins/adtrust.py
|
|
|
b58328 |
@@ -8,9 +8,11 @@ from ipalib import Updater
|
|
|
b58328 |
from ipapython.dn import DN
|
|
|
b58328 |
from ipapython import ipautil
|
|
|
b58328 |
from ipaplatform.paths import paths
|
|
|
b58328 |
+from ipaserver.install import service
|
|
|
b58328 |
from ipaserver.install import sysupgrade
|
|
|
b58328 |
from ipaserver.install.adtrustinstance import (
|
|
|
b58328 |
ADTRUSTInstance, map_Guests_to_nobody)
|
|
|
b58328 |
+
|
|
|
b58328 |
from ipaserver.dcerpc_common import TRUST_BIDIRECTIONAL
|
|
|
b58328 |
|
|
|
b58328 |
try:
|
|
|
937546 |
@@ -791,3 +793,56 @@ class update_tdo_default_read_keys_permissions(Updater):
|
|
|
b58328 |
tdo.single_value.get('krbCanonicalName'))
|
|
|
b58328 |
|
|
|
b58328 |
return False, []
|
|
|
b58328 |
+
|
|
|
b58328 |
+
|
|
|
b58328 |
+@register()
|
|
|
b58328 |
+class update_adtrust_agents_members(Updater):
|
|
|
b58328 |
+ """ Ensure that each adtrust agent is a member of the adtrust agents group
|
|
|
b58328 |
+
|
|
|
b58328 |
+ cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN must contain:
|
|
|
b58328 |
+ - member: krbprincipalname=cifs/master@realm,cn=services,cn=accounts,base
|
|
|
b58328 |
+ - member: fqdn=master,cn=computers,cn=accounts,base
|
|
|
b58328 |
+ """
|
|
|
b58328 |
+ def execute(self, **options):
|
|
|
b58328 |
+ ldap = self.api.Backend.ldap2
|
|
|
b58328 |
+
|
|
|
b58328 |
+ # First, see if trusts are enabled on the server
|
|
|
b58328 |
+ if not self.api.Command.adtrust_is_enabled()['result']:
|
|
|
b58328 |
+ logger.debug('AD Trusts are not enabled on this server')
|
|
|
b58328 |
+ return False, []
|
|
|
b58328 |
+
|
|
|
b58328 |
+ agents_dn = DN(
|
|
|
b58328 |
+ ('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
|
|
|
b58328 |
+ ('cn', 'etc'), self.api.env.basedn)
|
|
|
b58328 |
+
|
|
|
b58328 |
+ try:
|
|
|
b58328 |
+ agents_entry = ldap.get_entry(agents_dn, ['member'])
|
|
|
b58328 |
+ except errors.NotFound:
|
|
|
b58328 |
+ logger.error("No adtrust agents group found")
|
|
|
b58328 |
+ return False, []
|
|
|
b58328 |
+
|
|
|
b58328 |
+ # Build a list of agents from the cifs/.. members
|
|
|
b58328 |
+ agents_list = []
|
|
|
b58328 |
+ members = agents_entry.get('member', [])
|
|
|
b58328 |
+ suffix = '@{}'.format(self.api.env.realm).lower()
|
|
|
b58328 |
+
|
|
|
b58328 |
+ for amember in members:
|
|
|
b58328 |
+ if amember[0].attr.lower() == 'krbprincipalname':
|
|
|
b58328 |
+ # Extract krbprincipalname=cifs/hostname@realm from the DN
|
|
|
b58328 |
+ value = amember[0].value
|
|
|
b58328 |
+ if (value.lower().startswith('cifs/') and
|
|
|
b58328 |
+ value.lower().endswith(suffix)):
|
|
|
b58328 |
+ # 5 = length of 'cifs/'
|
|
|
b58328 |
+ hostname = value[5:-len(suffix)]
|
|
|
b58328 |
+ agents_list.append(DN(('fqdn', hostname),
|
|
|
b58328 |
+ self.api.env.container_host,
|
|
|
b58328 |
+ self.api.env.basedn))
|
|
|
b58328 |
+
|
|
|
b58328 |
+ # Add the fqdn=hostname... to the group
|
|
|
b58328 |
+ service.add_principals_to_group(
|
|
|
b58328 |
+ ldap,
|
|
|
b58328 |
+ agents_dn,
|
|
|
b58328 |
+ "member",
|
|
|
b58328 |
+ agents_list)
|
|
|
b58328 |
+
|
|
|
b58328 |
+ return False, []
|
|
|
b58328 |
--
|
|
|
b58328 |
2.23.0
|
|
|
b58328 |
|