[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-11 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From eccc5ff2b80f70bf4658fce259a90b7fdd63409b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 11 Apr 2017 11:43:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 freeipa.spec.in|  9 +
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 11 files changed, 11 insertions(+), 147 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..5839ca0 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+# create users and groups
+# create kdcproxy group and user
+getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
+getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
+# create ipaapi group and user
+getent group ipaapi >/dev/null || groupadd -f -r ipaapi
+getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-

[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-11 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From c53121d6ecee6be6cea4f2ee799e0c602f826d6c Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 11 Apr 2017 11:43:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 freeipa.spec.in|  9 +
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 11 files changed, 11 insertions(+), 147 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..df62286 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+# create users and groups
+# create kdcproxy group and user
+getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
+useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
+# create ipaapi group and user
+getent group ipaapi >/dev/null || groupadd -f -r ipaapi
+useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-log.debug('user %s exists', name)
-
 @staticmethod
 def

[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-11 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From 2a0cd52ab3780763119d83d01123da2f12b3b5e0 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 11 Apr 2017 11:43:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 freeipa.spec.in|  9 +
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 11 files changed, 11 insertions(+), 147 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..2bb5066 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+# create users and groups
+# create kdcproxy group and user
+getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
+useradd -r -g kdcproxy -s /sbin/nologin -m / -c "IPA KDC Proxy User" kdcproxy
+# create ipaapi group and user
+getent group ipaapi >/dev/null || groupadd -f -r ipaapi
+useradd -r -g ipaapi -s /sbin/nologin -m / -c "IPA Framework User" ipaapi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-log.debug('user %s exists', name)
-
 @staticmethod
 def

[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-11 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From ec977b5d2c1f59e178e78c64a4590914951c5b42 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 11 Apr 2017 11:43:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 freeipa.spec.in|  9 +
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 11 files changed, 11 insertions(+), 147 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..97e2c0c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1025,6 +1025,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+# create users and groups
+# create kdcproxy group and user
+getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
+useradd -r -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy
+# create ipaapi group and user
+getent group ipaapi >/dev/null || groupadd -f -r ipaapi
+useradd -r -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-log.debug('user %s exists', name)
-
 @staticmethod
 def

[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-10 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From 58d2ae5206f212c117631905a543dfb01f2e134f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 10 Apr 2017 15:21:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 configure.ac   |  4 ++-
 freeipa.spec.in| 21 
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 server.m4  | 30 +
 13 files changed, 56 insertions(+), 148 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8f8751a..36ecc37 100644
--- a/configure.ac
+++ b/configure.ac
@@ -628,7 +628,9 @@ AM_COND_IF([ENABLE_SERVER], [
 krb5rundir:   ${krb5rundir}
 systemdsystemunitdir: ${systemdsystemunitdir}
 systemdtmpfilesdir:   ${systemdtmpfilesdir}
-build mode:   server & client"
+build mode:   server & client
+ipaapi UID, GID:  ${ipaapi_uid}, ${ipaapi_gid}
+kdcproxy UID, GID:${kdcproxy_uid}, ${kdcproxy_gid}"
 ], [
 echo "\
 build mode:   client only"
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..d53309d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1024,7 +1024,28 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
 # END
 fi
+# create users and groups
+# create kdcproxy group and user preferably with preallocated GID and UID
+getent group kdcproxy >/dev/null || groupadd -f -g %{kdcproxy_gid} -r kdcproxy
+if ! getent passwd kdcproxy >/dev/null ; then
+if ! getent passwd %{kdcproxy_uid} >/dev/null ; then
+  useradd -r -u %{kdcproxy_uid} -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy
+else
+  useradd -r -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy
+fi
+fi
 
+# create ipaapi group and user preferably with preallocated GID and UID
+getent group ipaapi >/dev/null || groupadd -f -g %{ipaapi_gid} -r ipaapi
+if ! getent passwd ipaapi >/dev/null ; then
+if ! getent passwd %{ipaapi_uid} >/dev/null ; then
+  useradd -r -u %{ipaapi_uid} -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi
+else
+  useradd -r -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi
+fi
+fi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-

[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation

2017-04-10 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From bf6c9b375b7b24cdb2b3d1a50286cd189b633c3d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 6 Apr 2017 12:35:35 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743
---
 freeipa.spec.in|  6 
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 11 files changed, 8 insertions(+), 147 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..c8dc02c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1024,7 +1024,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
 # END
 fi
+# create users and groups
+getent group kdcproxy >/dev/null || groupadd -r kdcproxy
+getent passwd kdcproxy >/dev/null || useradd -r kdcproxy -g kdcproxy -c "IPA KDC Proxy User"
 
+getent group ipaapi >/dev/null || groupadd -r ipaapi
+getent passwd ipaapi >/dev/null || useradd -r ipaapi -g ipaapi -c "IPA Framework User"
+id -Gn apache | grep '\bipaapi\b' || usermod apache -a -G ipaapi
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
-import pwd
-import grp
-
 from pkg_resources import parse_version
 
 from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
 
 raise NotImplementedError()
 
-def create_system_user(self, name, group, homedir, shell,
-   uid=None, gid=None, comment=None,
-   create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-log.debug('user %s exists', name)
-
 @staticmethod
 def parse_ipa_version(version):