[Freeipa-devel] [PATCH] client: include the directory with domain-realm mappings in krb5.conf

Jakub Hrozek jhrozek at redhat.com
Mon Oct 8 16:17:26 UTC 2012


On Fri, Aug 17, 2012 at 12:20:27PM -0400, Simo Sorce wrote:
> 
> 
> ----- Original Message -----
> > Hi,
> > 
> > the attached patches add the directory the SSSD writes domain-realm
> > mappings as includedir to krb5.conf when installing the client.
> > 
> > [PATCH 1/3] ipachangeconf: allow specifying non-default delimeter for
> > options
> > ipachangeconf only allows one delimeter between keys and values. This
> > patch adds the possibility of also specifying "delim" in the option
> > dictionary to override the default delimeter.
> > 
> > On a slightly-unrelated note, we really should think about adopting
> > Augeas. Changing configuration with home-grown scripts is getting
> > tricky.
> > 
> > [PATCH 2/3] Specify includedir in krb5.conf on new installs
> > This patch utilizes the new functionality from the previous patch to
> > add
> > the includedir on top of the krb5.conf file
> > 
> > [PATCH 3/3] Add the includedir to krb5.conf on upgrades
> > This patch is completely untested and I'm only posting it to get
> > opinions. At first I was going to use an upgrade script in %post but
> > then I thought it would be overengineering when all we want to do is
> > prepend one line.. Would a simple munging like this be acceptable or
> > shall I write a full script?
> 
> NACK, using a scriptlet is fine, but not the way you did, as it has a huge race condition where krb5.conf exists and has only one line in it (the include line).
> 
> You should first create the new file: echo "include ..." > /etc/krb.conf.ipanew
> Then cat the contents of the existing file in i:t cat /etc/krb.conf >> /etc/krb.conf.ipanew
> And finally atomically rename it: mv /etc/krb.conf.ipanew /etc/krb.conf
> 
> This method is also safe wrt something killing the yum process ...
> 
> Simo.

I'm attaching a new revision of the patches not even two months after
the original nack.

I also think it might be nice to have a more general way of upgrading
the client config so I filed
https://fedorahosted.org/freeipa/ticket/3149
-------------- next part --------------
>From f93e181d4812dd66eda7cbc2cd9fc8ccc603e0c5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri, 17 Aug 2012 11:19:03 +0200
Subject: [PATCH 1/3] ipachangeconf: allow specifying non-default delimeter
 for options

---
 ipa-client/ipaclient/ipachangeconf.py | 37 +++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py
index 6cf47b807957c245fe03ff4259e35526c49175a9..087e096920854bdd822d83182102723a2082af2a 100644
--- a/ipa-client/ipaclient/ipachangeconf.py
+++ b/ipa-client/ipaclient/ipachangeconf.py
@@ -174,9 +174,13 @@ class IPAChangeConf:
                                               self.subsectdel[1]))
                 continue
             if o['type'] == "option":
+                delim = o.get('delim', self.dassign)
+                if delim not in self.assign:
+                    raise ValueError('Unknown delim "%s" must be one of "%s"' % (delim, " ".join([d for d in self.assign])))
+                output += self.indent[level]+o['name']+delim+o['value']+self.deol
                 output.append(self._dump_line(self.indent[level],
                                               o['name'],
-                                              self.dassign,
+                                              delim,
                                               o['value']))
                 continue
             if o['type'] == "comment":
@@ -200,13 +204,21 @@ class IPAChangeConf:
                     'type': 'comment',
                     'value': value.rstrip()}  # pylint: disable=E1103
 
+        o = dict()
         parts = line.split(self.dassign, 1)
         if len(parts) < 2:
-            raise SyntaxError('Syntax Error: Unknown line format')
+            # The default assign didn't match, try the non-default
+            for d in self.assign[1:]:
+                parts = line.split(d, 1)
+                if len(parts) >= 2:
+                    o['delim'] = d
+                    break
 
-        return {'name': parts[0].strip(),
-                'type': 'option',
-                'value': parts[1].rstrip()}
+            if 'delim' not in o:
+                raise SyntaxError, 'Syntax Error: Unknown line format'
+
+        o.update({'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()})
+        return o
 
     def findOpts(self, opts, type, name, exclude_sections=False):
 
@@ -256,13 +268,14 @@ class IPAChangeConf:
                              'value': val})
                 continue
             if o['type'] == 'option':
-                val = self._dump_line(self.indent[level],
-                                      o['name'],
-                                      self.dassign,
-                                      o['value'])
-                opts.append({'name': 'comment',
-                             'type': 'comment',
-                             'value': val})
+                delim = o.get('delim', self.dassign)
+                if delim not in self.assign:
+                    val = self.indent[level]+o['name']+delim+o['value']
+                    val = self._dump_line(self.indent[level],
+                                          o['name'],
+                                          delim,
+                                          o['value'])
+                opts.append({'name':'comment', 'type':'comment', 'value':val})
                 continue
             if o['type'] == 'comment':
                 opts.append(o)
-- 
1.7.11.4

-------------- next part --------------
>From 2e54029779e7930d72d51b5121eff25bf1d685ca Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Sun, 5 Aug 2012 20:47:12 +0200
Subject: [PATCH 2/3] Specify includedir in krb5.conf on new installs

---
 ipa-client/ipa-install/ipa-client-install | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7b057a9878c566343d606ea7399cc9e4509e65b6..705e5dd0ca0bfe8e15bc68b79ca5e2f0a62ffe38 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -729,7 +729,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
         options, filename, client_domain):
 
     krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
-    krbconf.setOptionAssignment(" = ")
+    krbconf.setOptionAssignment((" = ", " "))
     krbconf.setSectionNameDelimiters(("[","]"))
     krbconf.setSubSectionDelimiters(("{","}"))
     krbconf.setIndent(("","  ","    "))
@@ -737,6 +737,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
     opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
             {'name':'empty', 'type':'empty'}]
 
+    # SSSD include dir
+    opts.append({'name':'includedir', 'type':'option', 'value':'/var/lib/sss/pubconf/krb5.include.d/', 'delim':' '})
+    opts.append({'name':'empty', 'type':'empty'})
+
     #[libdefaults]
     libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
     if not dnsok or not cli_kdc or options.force:
-- 
1.7.11.4

-------------- next part --------------
>From 559697661223dc93cfef77d30efc01a2b21db1e4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Mon, 8 Oct 2012 15:25:53 +0200
Subject: [PATCH 3/3] Add the includedir to krb5.conf on upgrades

---
 freeipa.spec.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7c8314a04dbd01303c9122b4822b074bc7bbff88..11534c1fa2f75d1348ccb3390ef3f274e90c8809 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -569,6 +569,16 @@ fi
 fi
 %endif
 
+%post client
+if egrep -q 'File modified by ipa-client-install' /etc/krb5.conf 2>/dev/null ; then
+    if ! egrep -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
+        echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
+        cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
+        mv /etc/krb5.conf.ipanew /etc/krb5.conf
+    fi
+fi
+
+
 
 %if ! %{ONLY_CLIENT}
 %files server -f server-python.list
-- 
1.7.11.4



More information about the Freeipa-devel mailing list