[Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use

Wed Oct 10 09:04:06 UTC 2012

On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>>Hi,
>>
>>Since use of winbind on FreeIPA server that is configured with trusts is
>>conflicting with krb5 locator based on winbind, make sure there is
>>conflict that will force removing samba{,4}-winbind-krb5-locator package
>>when -server-trust-ad subpackage is installed.
>>
>>Please note that since feature-wise the two packages would be
>>conflicting in use, one has to play tricks with rpm to enforce
>>automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes:
>>in addtion to Conflicts: tag. This allows to ensure the two packages
>>never installed together:
>>
>>Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after
>>freeipa-server-trust-ad subpackage is installed.
>>
>>Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator
>>during the install of freeipa-server-trust-ad.
>Unfortunately, the side-effect of the Obsoletes: tag is that
>freeipa-server-trust-ad would always be selected from the repository
>whenever one wants to install samba{,4}-winbind-krb5-locator, so this
>approach does not work.
>
>We can keep pure Conflicts: tags because they would prevent co-install
>of the packages. They alone would not be able to provide way to solve
>conflicts.
>
>I'm working on a bit more complex variant with alternatives.
New patch attached. I verified that it works but in order to make it
useful, samba{,4} package needs to be updated to include alternatives
for winbind_krb5_locator.so plugin. Working on that now.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From ce35a07c652bfafd68c2be6878d92675f15d810c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 10 Oct 2012 09:46:08 +0300
Subject: [PATCH 3/5] Make sure samba{,4}-winbind-krb5-locator package is not
 used when trusts are in going to be configured

Since use of winbind on FreeIPA server that is configured with trusts is conflicting
with krb5 locator based on winbind, use alternatives mechanism to turn off the locator
plugin by symlinking it to /dev/null.

https://fedorahosted.org/freeipa/ticket/3102
---
 freeipa.spec.in | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..97aa501b3153243ddb213c1b6d85d7a46cc00b70 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -230,6 +230,13 @@ Requires: samba4
 Requires: samba4-winbind
 %endif
 Requires: libsss_idmap
+# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
+# on the installes where server-trust-ad subpackage is installed because
+# IPA AD trusts cannot be used at the same time with the locator plugin
+# since Winbindd will be configured in a different mode
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
 
 %description server-trust-ad
 Cross-realm trusts with Active Directory in IPA require working Samba 4 installation.
@@ -438,6 +445,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfil
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 
+mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
 %if 0%{?fedora} >= 16
 # Default to systemd initscripts for F16 and above
 mkdir -p %{buildroot}%{_unitdir}
@@ -568,6 +578,22 @@ if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; t
        rm -f ${FILE_CONTEXT}.%name
 fi
 fi
+
+%postun server-trust-ad
+if [ "$1" -ge "1" ]; then
+	if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
+		%{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
+	fi
+fi
+
+%post server-trust-ad
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+				winbind_krb5_locator.so /dev/null 90
+
+%preun server-trust-ad
+if [ $1 -eq 0 ]; then
+	%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
+fi
 %endif
 
 
@@ -733,6 +759,7 @@ fi
 %{_mandir}/man1/ipa-adtrust-install.1.gz
 %{python_sitelib}/ipaserver/dcerpc*
 %{python_sitelib}/ipaserver/install/adtrustinstance*
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %endif
 
 %files client
@@ -786,6 +813,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Oct 10 2012 Alexander Bokovoy <abokovoy at redhat.com> - 2.99.0-49
+- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
+  plugin to /dev/null since they cannot be used when trusts are configured
+
 * Mon Oct  8 2012 Martin Kosek <mkosek at redhat.com> - 2.99.0-48
 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
 
-- 
1.7.12

