|
 |
86baa9 |
From dae784292fb49559de4aaee2a999c444a72ce272 Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
Date: Tue, 16 Oct 2018 17:54:09 +0300
|
|
|
86baa9 |
Subject: [PATCH] net groupmap: force using empty config when mapping Guests
|
|
|
86baa9 |
|
|
|
86baa9 |
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
|
|
|
86baa9 |
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
|
|
|
86baa9 |
is now configured to use ipasam passdb module. We authenticate to LDAP
|
|
|
86baa9 |
with GSSAPI in ipasam passdb module initialization.
|
|
|
86baa9 |
|
|
|
86baa9 |
If GSSAPI authentication failed (KDC is offline, for example, during
|
|
|
86baa9 |
server upgrade), 'net groupmap add' crashes after ~10 attempts to
|
|
|
86baa9 |
re-authenticate. This is intended behavior in smbd/winbindd as they
|
|
|
86baa9 |
cannot work anymore. However, for the command line tools there are
|
|
|
86baa9 |
plenty of operations where passdb module is not needed.
|
|
|
86baa9 |
|
|
|
86baa9 |
Additionally, GSSAPI authentication uses the default ccache in the
|
|
|
86baa9 |
environment and a key from /etc/samba/samba.keytab keytab. This means
|
|
|
86baa9 |
that if you'd run 'net *' as root, it will replace whatever Kerberos
|
|
|
86baa9 |
tickets you have with a TGT for cifs/`hostname` and a service ticket to
|
|
|
86baa9 |
ldap/`hostname` of IPA master.
|
|
|
86baa9 |
|
|
|
86baa9 |
Apply a simple solution to avoid using /etc/samba/smb.conf when we
|
|
|
86baa9 |
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
|
|
|
86baa9 |
call.
|
|
|
86baa9 |
|
|
|
86baa9 |
For upgrade code this is enough as in
|
|
|
86baa9 |
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
|
|
|
86baa9 |
credentials cache during upgrade to prevent tripping on individual
|
|
|
86baa9 |
ccaches from KEYRING: or KCM: cache collections.
|
|
|
86baa9 |
|
|
|
86baa9 |
Related: https://pagure.io/freeipa/issue/7705
|
|
|
86baa9 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
86baa9 |
(cherry picked from commit 3b79deae537f73ffd18e85f52e00e611543e5e45)
|
|
|
86baa9 |
---
|
|
|
86baa9 |
ipaserver/install/adtrustinstance.py | 4 ++--
|
|
|
86baa9 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
index 4141d8991cf75b60dea4ec123f0e3931bb3e6976..a21be5fba375a48fb82ea4224d00fb71c3688eb8 100644
|
|
|
86baa9 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
@@ -123,8 +123,8 @@ def make_netbios_name(s):
|
|
|
86baa9 |
|
|
|
86baa9 |
def map_Guests_to_nobody():
|
|
|
86baa9 |
env = {'LC_ALL': 'C'}
|
|
|
86baa9 |
- args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546',
|
|
|
86baa9 |
- 'unixgroup=nobody', 'type=builtin']
|
|
|
86baa9 |
+ args = [paths.NET, '-s', '/dev/null', 'groupmap', 'add',
|
|
|
86baa9 |
+ 'sid=S-1-5-32-546', 'unixgroup=nobody', 'type=builtin']
|
|
|
86baa9 |
|
|
|
86baa9 |
logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
|
|
|
86baa9 |
ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|