On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
Hi,
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, make sure there is
conflict that will force removing samba{,4}-winbind-krb5-locator package
when -server-trust-ad subpackage is installed.
Please note that since feature-wise the two packages would be
conflicting in use, one has to play tricks with rpm to enforce
automatic removal of the samba{,4}-winbind-krb5-locator with Obsoletes:
in addtion to Conflicts: tag. This allows to ensure the two packages
never installed together:
Conflicts: tag would prevent installing samba{,4}-winbind-krb5-locator after
freeipa-server-trust-ad subpackage is installed.
Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator
during the install of freeipa-server-trust-ad.
Unfortunately, the side-effect of the Obsoletes: tag is that
freeipa-server-trust-ad would always be selected from the repository
whenever one wants to install samba{,4}-winbind-krb5-locator, so this
approach does not work.
We can keep pure Conflicts: tags because they would prevent co-install
of the packages. They alone would not be able to provide way to solve
conflicts.
I'm working on a bit more complex variant with alternatives.
New patch attached. I verified that it works but in order to make it
useful, samba{,4} package needs to be updated to include alternatives
for winbind_krb5_locator.so plugin. Working on that now.
Attached is the patch for samba (f18, rawhide).
--
/ Alexander Bokovoy
>From a78139d777deab75e3bf500472d88cba6a720484 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 10 Oct 2012 12:21:42 +0300
Subject: [PATCH] Move winbind_krb5_locator.so to back to %_libdir and use
alternatives instead
This is required to support IPA AD trusts where winbind_krb5_locator.so should
be disabled. The only way to disable it without uninstalling the package is to
make it configurable via alternatives system.
---
samba.spec | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/samba.spec b/samba.spec
index
292fd7e90221795982788dc7a7606fa907dfa4e3..a3cc66b326f7cf83b4c81939aa70d35b80fcae0b
100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 152
+%define main_release 153
%define samba_version 4.0.0
%define talloc_version 2.0.7
@@ -279,6 +279,14 @@ Requires: %{name}-libs = %{samba_depver}
Provides: samba4-winbind-krb5-locator = %{samba_depver}
Obsoletes: samba4-winbind-krb5-locator < %{samba_depver}
+# Handle winbind_krb5_locator.so as alternatives to allow
+# IPA AD trusts case where it should not be used by libkrb5
+# The plugin will be diverted to /dev/null by the FreeIPA
+# freeipa-server-trust-ad subpackage due to higher priority
+# and restored to the proper one on uninstall
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
%description winbind-krb5-locator
The winbind krb5 locator is a plugin for the system kerberos library to allow
@@ -538,8 +546,7 @@ done
# winbind krb5 locator
install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
-install -m 755 %{buildroot}/%{_libdir}/winbind_krb5_locator.so
%{buildroot}/%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
-rm -f %{buildroot}/%{_libdir}/winbind_krb5_locator.so
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
# cleanup stuff that does not belong here
rm -f %{buildroot}/%{_mandir}/man3/ldb.3*
@@ -557,6 +564,7 @@ rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp
# Fix up permission on perl install.
%{_fixperms} %{buildroot}%{perl_vendorlib}
+
# Remove stuff the buildsystem did not handle correctly
rm -f %{buildroot}%{_libdir}/security/pam_smbpass.so
rm -f %{buildroot}%{python_sitelib}/tevent.py
@@ -622,6 +630,22 @@ rm -f %{buildroot}%{python_sitelib}/tevent.py
%postun -n libwbclient -p /sbin/ldconfig
%endif # with_libwbclient
+%postun winbind-krb5-locator
+if [ "$1" -ge "1" ]; then
+ if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`"
== "%{_libdir}/winbind_krb5_locator.so" ]; then
+ %{_sbindir}/alternatives --set winbind_krb5_locator
%{_libdir}/winbind_krb5_locator.so
+ fi
+fi
+
+%post winbind-krb5-locator
+%{_sbindir}/update-alternatives --install
%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+ winbind_krb5_locator.so
%{_libdir}/winbind_krb5_locator.so 10
+
+%preun winbind-krb5-locator
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so
%{_libdir}/winbind_krb5_locator.so
+fi
+
%clean
rm -rf %{buildroot}
@@ -905,7 +929,8 @@ rm -rf %{buildroot}
%files winbind-krb5-locator
%defattr(-,root,root)
-%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%{_libdir}/winbind_krb5_locator.so
%{_mandir}/man7/winbind_krb5_locator.7*
%files winbind-clients
@@ -1255,6 +1280,9 @@ rm -rf %{buildroot}
%endif # with_libwbclient
%changelog
+* Wed Oct 10 2012 - Alexander Bokovoy <aboko...@redhat.com> - 2:4.0.0-153.rc1
+- Use alternatives to configure winbind_krb5_locator.so
+
* Thu Oct 04 2012 - Andreas Schneider <a...@redhat.com> - 2:4.0.0-152.rc1
- Add kerberos AES support.
- Fix printing initialization.
--
1.7.12
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
