Re: [Freeipa-devel] [PATCH] 0086 Make sure samba{, 4}-winbind-krb5-locator package is not installed when trusts are in use

Wed, 10 Oct 2012 02:04:53 -0700 

On Wed, 10 Oct 2012, Alexander Bokovoy wrote:

On Wed, 10 Oct 2012, Alexander Bokovoy wrote:

Hi,

Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, make sure there is
conflict that will force removing samba{,4}-winbind-krb5-locator package
when -server-trust-ad subpackage is installed.

Please note that since feature-wise the two packages would be
conflicting in use, one has to play tricks with rpm to enforce
automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes:
in addtion to Conflicts: tag. This allows to ensure the two packages
never installed together:

Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after
freeipa-server-trust-ad subpackage is installed.

Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator
during the install of freeipa-server-trust-ad.

Unfortunately, the side-effect of the Obsoletes: tag is that
freeipa-server-trust-ad would always be selected from the repository
whenever one wants to install samba{,4}-winbind-krb5-locator, so this
approach does not work.

We can keep pure Conflicts: tags because they would prevent co-install
of the packages. They alone would not be able to provide way to solve
conflicts.

I'm working on a bit more complex variant with alternatives.

New patch attached. I verified that it works but in order to make it
useful, samba{,4} package needs to be updated to include alternatives
for winbind_krb5_locator.so plugin. Working on that now.

--
/ Alexander Bokovoy

>From ce35a07c652bfafd68c2be6878d92675f15d810c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 10 Oct 2012 09:46:08 +0300
Subject: [PATCH 3/5] Make sure samba{,4}-winbind-krb5-locator package is not
 used when trusts are in going to be configured

Since use of winbind on FreeIPA server that is configured with trusts is 
conflicting
with krb5 locator based on winbind, use alternatives mechanism to turn off the 
locator
plugin by symlinking it to /dev/null.

https://fedorahosted.org/freeipa/ticket/3102
---
 freeipa.spec.in | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..97aa501b3153243ddb213c1b6d85d7a46cc00b70
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -230,6 +230,13 @@ Requires: samba4
 Requires: samba4-winbind
 %endif
 Requires: libsss_idmap
+# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
+# on the installes where server-trust-ad subpackage is installed because
+# IPA AD trusts cannot be used at the same time with the locator plugin
+# since Winbindd will be configured in a different mode
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
 
 %description server-trust-ad
 Cross-realm trusts with Active Directory in IPA require working Samba 4 
installation.
@@ -438,6 +445,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles 
%{buildroot}%{_sysconfdir}/tmpfil
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 
+mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
 %if 0%{?fedora} >= 16
 # Default to systemd initscripts for F16 and above
 mkdir -p %{buildroot}%{_unitdir}
@@ -568,6 +578,22 @@ if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f 
${FILE_CONTEXT}.%{name} ]; t
        rm -f ${FILE_CONTEXT}.%name
 fi
 fi
+
+%postun server-trust-ad
+if [ "$1" -ge "1" ]; then
+       if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" 
== "/dev/null" ]; then
+               %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
+       fi
+fi
+
+%post server-trust-ad
+%{_sbindir}/update-alternatives --install 
%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+                               winbind_krb5_locator.so /dev/null 90
+
+%preun server-trust-ad
+if [ $1 -eq 0 ]; then
+       %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so 
/dev/null
+fi
 %endif
 
 
@@ -733,6 +759,7 @@ fi
 %{_mandir}/man1/ipa-adtrust-install.1.gz
 %{python_sitelib}/ipaserver/dcerpc*
 %{python_sitelib}/ipaserver/install/adtrustinstance*
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %endif
 
 %files client
@@ -786,6 +813,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Oct 10 2012 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-49
+- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
+  plugin to /dev/null since they cannot be used when trusts are configured
+
 * Mon Oct  8 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-48
 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
 
-- 
1.7.12


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to