Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation.
Patch attached -- Martin Basti
From 44593f97c51cc683218ac4ed81f821ee751ee6c5 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 11 Nov 2014 13:00:18 +0100 Subject: [PATCH] Fix named working directory permissions Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:6 --- freeipa.spec.in | 3 +-- ipaplatform/base/paths.py | 1 + ipaserver/install/dnskeysyncinstance.py | 21 +++++++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html mkdir -p %{buildroot}%{_initrddir} mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter @@ -660,7 +659,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -774,6 +772,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %{_localstatedir}/named/dyndb-ldap/ipa %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index af502628e493ad7b4d8d30ed1acb98bba8cb39e4..e4970e9b684b06ad98d56605d6d0419cb9e39cb2 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -189,6 +189,7 @@ class BasePathNamespace(object): BIN_WGET = "/usr/bin/wget" ZIP = "/usr/bin/zip" BIND_LDAP_SO = "/usr/lib/bind/ldap.so" + BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/" BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/" USR_LIB_DIRSRV = "/usr/lib/dirsrv" USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s" diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..f3d225fc114c1a8ffed1637a90448122b862b745 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -119,6 +119,8 @@ class DNSKeySyncInstance(service.Service): self.ldap_connect() # checking status step must be first self.step("checking status", self.__check_dnssec_status) + self.step("setting up bind-dyndb-ldap working directory", + self.__setup_dyndb_ldap_workdir) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up SoftHSM", self.__setup_softhsm) self.step("adding DNSSEC containers", self.__setup_dnssec_containers) @@ -171,6 +173,25 @@ class DNSKeySyncInstance(service.Service): self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, }) + def __setup_dyndb_ldap_workdir(self): + named = services.knownservices.named + + try: + named_uid = pwd.getpwnam(named.get_user_name()).pw_uid + except KeyError: + raise RuntimeError("Named UID not found") + + try: + named_gid = grp.getgrnam(named.get_group_name()).gr_gid + except KeyError: + raise RuntimeError("Named GID not found") + + if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): + os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) + # dnssec daemons require to have access into the directory + os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770) + os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, named_uid, named_gid) + def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel