[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From eccc5ff2b80f70bf4658fce259a90b7fdd63409b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Tue, 11 Apr 2017 11:43:40 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- freeipa.spec.in| 9 + ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- 11 files changed, 11 insertions(+), 147 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..5839ca0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -args = [paths.GROUPADD, '-r', group] -if gid: -args += ['-g', str(gid)] -try: -ipautil.run(args) -log.debug('Done adding group') -except ipautil.CalledProcessError as e: -log.critical('Failed to add group: %s', e) -raise -else: -log.debug('group %s exists', group) - -try: -pwd.getpwnam(name) -except KeyError: -log.debug('Adding user %s', name) -args = [ -paths.USERADD, -'-g', group, -'-d', homedir, -'-s', shell, -'-r', name, -] -if uid: -args += ['-u', str(uid)] -if comment: -args += ['-c', comment] -if create_homedir: -args += ['-m'] -else: -args += ['-M'] -if groups is not None: -args += ['-G', groups.join(',')] -try: -ipautil.run(args) -log.debug('Done adding user') -except ipautil.CalledProcessError as e: -log.critical('Failed to add user: %s', e) -raise -else: -
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From c53121d6ecee6be6cea4f2ee799e0c602f826d6c Mon Sep 17 00:00:00 2001 From: David KupkaDate: Tue, 11 Apr 2017 11:43:40 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- freeipa.spec.in| 9 + ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- 11 files changed, 11 insertions(+), 147 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..df62286 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -args = [paths.GROUPADD, '-r', group] -if gid: -args += ['-g', str(gid)] -try: -ipautil.run(args) -log.debug('Done adding group') -except ipautil.CalledProcessError as e: -log.critical('Failed to add group: %s', e) -raise -else: -log.debug('group %s exists', group) - -try: -pwd.getpwnam(name) -except KeyError: -log.debug('Adding user %s', name) -args = [ -paths.USERADD, -'-g', group, -'-d', homedir, -'-s', shell, -'-r', name, -] -if uid: -args += ['-u', str(uid)] -if comment: -args += ['-c', comment] -if create_homedir: -args += ['-m'] -else: -args += ['-M'] -if groups is not None: -args += ['-G', groups.join(',')] -try: -ipautil.run(args) -log.debug('Done adding user') -except ipautil.CalledProcessError as e: -log.critical('Failed to add user: %s', e) -raise -else: -log.debug('user %s exists', name) - @staticmethod def
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From 2a0cd52ab3780763119d83d01123da2f12b3b5e0 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Tue, 11 Apr 2017 11:43:40 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- freeipa.spec.in| 9 + ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- 11 files changed, 11 insertions(+), 147 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..2bb5066 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +useradd -r -g kdcproxy -s /sbin/nologin -m / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +useradd -r -g ipaapi -s /sbin/nologin -m / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -args = [paths.GROUPADD, '-r', group] -if gid: -args += ['-g', str(gid)] -try: -ipautil.run(args) -log.debug('Done adding group') -except ipautil.CalledProcessError as e: -log.critical('Failed to add group: %s', e) -raise -else: -log.debug('group %s exists', group) - -try: -pwd.getpwnam(name) -except KeyError: -log.debug('Adding user %s', name) -args = [ -paths.USERADD, -'-g', group, -'-d', homedir, -'-s', shell, -'-r', name, -] -if uid: -args += ['-u', str(uid)] -if comment: -args += ['-c', comment] -if create_homedir: -args += ['-m'] -else: -args += ['-M'] -if groups is not None: -args += ['-G', groups.join(',')] -try: -ipautil.run(args) -log.debug('Done adding user') -except ipautil.CalledProcessError as e: -log.critical('Failed to add user: %s', e) -raise -else: -log.debug('user %s exists', name) - @staticmethod def
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From ec977b5d2c1f59e178e78c64a4590914951c5b42 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Tue, 11 Apr 2017 11:43:40 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- freeipa.spec.in| 9 + ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- 11 files changed, 11 insertions(+), 147 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..97e2c0c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +useradd -r -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +useradd -r -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -args = [paths.GROUPADD, '-r', group] -if gid: -args += ['-g', str(gid)] -try: -ipautil.run(args) -log.debug('Done adding group') -except ipautil.CalledProcessError as e: -log.critical('Failed to add group: %s', e) -raise -else: -log.debug('group %s exists', group) - -try: -pwd.getpwnam(name) -except KeyError: -log.debug('Adding user %s', name) -args = [ -paths.USERADD, -'-g', group, -'-d', homedir, -'-s', shell, -'-r', name, -] -if uid: -args += ['-u', str(uid)] -if comment: -args += ['-c', comment] -if create_homedir: -args += ['-m'] -else: -args += ['-M'] -if groups is not None: -args += ['-G', groups.join(',')] -try: -ipautil.run(args) -log.debug('Done adding user') -except ipautil.CalledProcessError as e: -log.critical('Failed to add user: %s', e) -raise -else: -log.debug('user %s exists', name) - @staticmethod def
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From 58d2ae5206f212c117631905a543dfb01f2e134f Mon Sep 17 00:00:00 2001 From: David KupkaDate: Mon, 10 Apr 2017 15:21:40 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- configure.ac | 4 ++- freeipa.spec.in| 21 ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- server.m4 | 30 + 13 files changed, 56 insertions(+), 148 deletions(-) diff --git a/configure.ac b/configure.ac index 8f8751a..36ecc37 100644 --- a/configure.ac +++ b/configure.ac @@ -628,7 +628,9 @@ AM_COND_IF([ENABLE_SERVER], [ krb5rundir: ${krb5rundir} systemdsystemunitdir: ${systemdsystemunitdir} systemdtmpfilesdir: ${systemdtmpfilesdir} -build mode: server & client" +build mode: server & client +ipaapi UID, GID: ${ipaapi_uid}, ${ipaapi_gid} +kdcproxy UID, GID:${kdcproxy_uid}, ${kdcproxy_gid}" ], [ echo "\ build mode: client only" diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..d53309d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1024,7 +1024,28 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : # END fi +# create users and groups +# create kdcproxy group and user preferably with preallocated GID and UID +getent group kdcproxy >/dev/null || groupadd -f -g %{kdcproxy_gid} -r kdcproxy +if ! getent passwd kdcproxy >/dev/null ; then +if ! getent passwd %{kdcproxy_uid} >/dev/null ; then + useradd -r -u %{kdcproxy_uid} -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy +else + useradd -r -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy +fi +fi +# create ipaapi group and user preferably with preallocated GID and UID +getent group ipaapi >/dev/null || groupadd -f -g %{ipaapi_gid} -r ipaapi +if ! getent passwd ipaapi >/dev/null ; then +if ! getent passwd %{ipaapi_uid} >/dev/null ; then + useradd -r -u %{ipaapi_uid} -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi +else + useradd -r -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi +fi +fi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From bf6c9b375b7b24cdb2b3d1a50286cd189b633c3d Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 6 Apr 2017 12:35:35 +0200 Subject: [PATCH] Create system users for FreeIPA services during package installation Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 --- freeipa.spec.in| 6 ipaplatform/base/tasks.py | 53 -- ipaplatform/redhat/tasks.py| 26 --- ipaserver/install/cainstance.py| 12 --- ipaserver/install/dsinstance.py| 11 --- ipaserver/install/httpinstance.py | 13 ipaserver/install/installutils.py | 13 ipaserver/install/ipa_restore.py | 7 ipaserver/install/server/install.py| 6 +--- ipaserver/install/server/replicainstall.py | 6 +--- ipaserver/install/server/upgrade.py| 2 -- 11 files changed, 8 insertions(+), 147 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 61e9acd..c8dc02c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1024,7 +1024,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : # END fi +# create users and groups +getent group kdcproxy >/dev/null || groupadd -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r kdcproxy -g kdcproxy -c "IPA KDC Proxy User" +getent group ipaapi >/dev/null || groupadd -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r ipaapi -g ipaapi -c "IPA Framework User" +id -Gn apache | grep '\bipaapi\b' || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 9f91fef..3358b7d 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -22,9 +22,6 @@ This module contains default platform-specific implementations of system tasks. ''' -import pwd -import grp - from pkg_resources import parse_version from ipaplatform.paths import paths @@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None): raise NotImplementedError() -def create_system_user(self, name, group, homedir, shell, - uid=None, gid=None, comment=None, - create_homedir=False, groups=None): -"""Create a system user with a corresponding group""" -try: -grp.getgrnam(group) -except KeyError: -log.debug('Adding group %s', group) -args = [paths.GROUPADD, '-r', group] -if gid: -args += ['-g', str(gid)] -try: -ipautil.run(args) -log.debug('Done adding group') -except ipautil.CalledProcessError as e: -log.critical('Failed to add group: %s', e) -raise -else: -log.debug('group %s exists', group) - -try: -pwd.getpwnam(name) -except KeyError: -log.debug('Adding user %s', name) -args = [ -paths.USERADD, -'-g', group, -'-d', homedir, -'-s', shell, -'-r', name, -] -if uid: -args += ['-u', str(uid)] -if comment: -args += ['-c', comment] -if create_homedir: -args += ['-m'] -else: -args += ['-M'] -if groups is not None: -args += ['-G', groups.join(',')] -try: -ipautil.run(args) -log.debug('Done adding user') -except ipautil.CalledProcessError as e: -log.critical('Failed to add user: %s', e) -raise -else: -log.debug('user %s exists', name) - @staticmethod def parse_ipa_version(version):