Alan Pevec
2008-May-28 21:17 UTC
[Ovirt-devel] [PATCH] replace kadmin.local with ipa-* commands
replace kadmin.local with ipa-* commands
We should not use kadmin with IPA, see
http://freeipa.org/page/IpaConcepts#How_IPA_and_Kerberos_Work_Together
This change makes finally 'grant_admin_privileges ovirtadmin' work,
since now we get user object created at expected prefix cn=users,cn=accounts
'grant_admin_privileges admin' is removed, admin is IPA system account
and has nothing to do with oVirt
diff --git a/wui-appliance/wui-devel-x86_64.ks
b/wui-appliance/wui-devel-x86_64.ks
index 1ab990f..173e448 100644
--- a/wui-appliance/wui-devel-x86_64.ks
+++ b/wui-appliance/wui-devel-x86_64.ks
@@ -30,7 +30,9 @@ for i in `seq 3 252` ; do
echo "192.168.50.$i node$i.priv.ovirt.org" >> /etc/hosts
done
-principal=ovirtadmin at PRIV.OVIRT.ORG
+principal=ovirtadmin
+realm=PRIV.OVIRT.ORG
+password=ovirt
cron_file=/etc/cron.hourly/ovirtadmin.cron
ktab_file=/usr/share/ovirt-wui/ovirtadmin.tab
@@ -40,7 +42,7 @@ cat > $cron_file << EOF
#!/bin/bash
export PATH=/usr/kerberos/bin:$PATH
kdestroy
-kinit -k -t $ktab_file $principal
+kinit -k -t $ktab_file $principal@$realm
EOF
chmod 755 $cron_file
@@ -106,6 +108,8 @@ EOF
first_run_file=/etc/init.d/ovirt-wui-dev-first-run
sed -e "s, at cron_file@,$cron_file," \
-e "s, at principal@,$principal," \
+ -e "s, at realm@,$realm," \
+ -e "s, at password@,$password,g" \
-e "s, at ktab_file@,$ktab_file," \
> $first_run_file << \EOF
#!/bin/bash
@@ -119,18 +123,18 @@ sed -e "s, at cron_file@,$cron_file," \
# Source functions library
. /etc/init.d/functions
-KADMIN=/usr/kerberos/sbin/kadmin.local
-
start() {
echo -n "Starting ovirt-dev-wui-first-run: "
(
# set up freeipa
- ipa-server-install -r PRIV.OVIRT.ORG -p ovirt -P ovirt -a ovirtwui \
+ ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@
\
--hostname management.priv.ovirt.org -u dirsrv -U
# now create the ovirtadmin user
- $KADMIN -q 'addprinc -randkey @principal@'
- $KADMIN -q 'ktadd -k @ktab_file@ @principal@'
+ echo @password@|kinit admin
+ ipa-adduser -f Ovirt -l Admin -p @password@ @principal@
+ ipa-moduser --setattr krbPasswordExpiration=19700101000000Z @principal@
+ ipa-getkeytab -s management.priv.ovirt.org -p @principal@ -k @ktab_file@
@cron_file@
) > /var/log/ovirt-wui-dev-first-run.log 2>&1
diff --git a/wui/scripts/ovirt-wui-install b/wui/scripts/ovirt-wui-install
index 9cc3ac4..61da1b6 100755
--- a/wui/scripts/ovirt-wui-install
+++ b/wui/scripts/ovirt-wui-install
@@ -184,9 +184,6 @@ mkdir -p log
rake db:migrate
cd -
-${OVIRT_DIR}/script/grant_admin_privileges admin
-[ $? != 0 ] && echo "Failed to grant admin privileges"
&& exit 1
-
if [ -f ${OVIRT_DIR}/ovirtadmin.tab ]; then
${OVIRT_DIR}/script/grant_admin_privileges ovirtadmin
[ $? != 0 ] && echo "Failed to grant ovirtadmin
privileges" && exit 1
@@ -199,6 +196,3 @@ for svc in $OVIRT_SVCS $ENABLE_SVCS; do
done
exit 0
-
-
-
Ian Main
2008-May-29 00:32 UTC
[Ovirt-devel] [PATCH] replace kadmin.local with ipa-* commands
On Wed, 28 May 2008 23:17:38 +0200 Alan Pevec <apevec at redhat.com> wrote:> replace kadmin.local with ipa-* commands > > We should not use kadmin with IPA, see http://freeipa.org/page/IpaConcepts#How_IPA_and_Kerberos_Work_Together > This change makes finally 'grant_admin_privileges ovirtadmin' work, since now we get user object created at expected prefix cn=users,cn=accounts > > 'grant_admin_privileges admin' is removed, admin is IPA system account and has nothing to do with oVirtHey Alan, I ran this and in the log you see: The password for this file is in /etc/dirsrv/slapd-PRIV-OVIRT-ORG/pwdfile.txt /etc/rc3.d/S95ovirt-wui-dev-first-run: line 20: kinit: command not found Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/No credentials cache found Could not initialize GSSAPI: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('No credentials cache found', -1765328189) so I'll add the kerb bin dir to the path and try it again. Ian