Joey Boggs
2009-May-20 20:44 UTC
[Ovirt-devel] [PATCH server] update host-browser to use ipa commands rather than kadmin
This completes the server side daemons ipa support
---
installer/modules/ovirt/manifests/ovirt.pp | 5 ++++
src/host-browser/host-browser.rb | 29 +++++++++++++++++++++------
2 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/installer/modules/ovirt/manifests/ovirt.pp
b/installer/modules/ovirt/manifests/ovirt.pp
index 2e91e69..d3d01d6 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -130,6 +130,11 @@ class ovirt::setup {
notify => Service[qpidd]
}
+ single_exec { "ipa_admin_keytab" :
+ command => "/usr/sbin/ipa-getkeytab -s $ipa_host -p
admin@$realm_name -k /usr/share/ovirt-server/ipa-admin.tab",
+ require => Exec[get_krb5_tkt]
+ }
+
service {"httpd" :
enable => true,
require => Package[httpd],
diff --git a/src/host-browser/host-browser.rb b/src/host-browser/host-browser.rb
index 13b2ac4..b62fdba 100755
--- a/src/host-browser/host-browser.rb
+++ b/src/host-browser/host-browser.rb
@@ -331,12 +331,23 @@ class HostBrowser
# TODO need a way to test this portion
unless (defined? TESTING) || File.exists?(@keytab_filename)
# TODO replace with Kr5Auth when it supports admin actions
- puts "Writing keytab file: #{@keytab_filename}" unless
defined?(TESTING)
- kadmin_local('addprinc -randkey ' + libvirt_princ)
- kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
libvirt_princ)
- kadmin_local('addprinc -randkey ' + qpidd_princ)
- kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
qpidd_princ)
+ krb5conf = File.new("/etc/krb5.conf", "r")
+ while (line = krb5conf.gets)
+ if line =~ /admin_server/ &&
!line.include?("FILE")
+ key,value = line.split("=")
+ ipa_host,ipa_port = value.split(":")
+ end
+ end
+ krb5conf.close
+
+ puts "Writing keytab file: #{@keytab_filename}" unless
defined?(TESTING)
+ admin_keytab="/usr/share/ovirt-server/ipa-admin.tab"
+ system("/usr/kerberos/bin/kinit admin -k -t
#{admin_keytab}")
+ add_principal(libvirt_princ)
+ get_keytab(libvirt_princ,ipa_host)
+ add_principal(qpidd_princ)
+ get_keytab(qpidd_princ,ipa_host)
File.chmod(0644, at keytab_filename)
end
@@ -367,8 +378,12 @@ class HostBrowser
# Executes an external program to support the keytab function.
#
- def kadmin_local(command)
- system("/usr/kerberos/sbin/kadmin.local -q '" + command +
"'")
+ def add_principal(command)
+ system("/usr/sbin/ipa-addservice #{command}")
+ end
+
+ def get_keytab(command,ipa_host)
+ system("ipa-getkeytab -s #{ipa_host} -p #{command} -k
#{@keytab_filename}")
end
end
--
1.6.0.6
Joey Boggs
2009-May-20 20:45 UTC
[Ovirt-devel] [PATCH server] update host-browser to use ipa commands rather than kadmin
This completes the server side daemons ipa support
---
installer/modules/ovirt/manifests/ovirt.pp | 5 ++++
src/host-browser/host-browser.rb | 29 +++++++++++++++++++++------
2 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/installer/modules/ovirt/manifests/ovirt.pp
b/installer/modules/ovirt/manifests/ovirt.pp
index 2e91e69..d3d01d6 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -130,6 +130,11 @@ class ovirt::setup {
notify => Service[qpidd]
}
+ single_exec { "ipa_admin_keytab" :
+ command => "/usr/sbin/ipa-getkeytab -s $ipa_host -p
admin@$realm_name -k /usr/share/ovirt-server/ipa-admin.tab",
+ require => Exec[get_krb5_tkt]
+ }
+
service {"httpd" :
enable => true,
require => Package[httpd],
diff --git a/src/host-browser/host-browser.rb b/src/host-browser/host-browser.rb
index 13b2ac4..b62fdba 100755
--- a/src/host-browser/host-browser.rb
+++ b/src/host-browser/host-browser.rb
@@ -331,12 +331,23 @@ class HostBrowser
# TODO need a way to test this portion
unless (defined? TESTING) || File.exists?(@keytab_filename)
# TODO replace with Kr5Auth when it supports admin actions
- puts "Writing keytab file: #{@keytab_filename}" unless
defined?(TESTING)
- kadmin_local('addprinc -randkey ' + libvirt_princ)
- kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
libvirt_princ)
- kadmin_local('addprinc -randkey ' + qpidd_princ)
- kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
qpidd_princ)
+ krb5conf = File.new("/etc/krb5.conf", "r")
+ while (line = krb5conf.gets)
+ if line =~ /admin_server/ &&
!line.include?("FILE")
+ key,value = line.split("=")
+ ipa_host,ipa_port = value.split(":")
+ end
+ end
+ krb5conf.close
+
+ puts "Writing keytab file: #{@keytab_filename}" unless
defined?(TESTING)
+ admin_keytab="/usr/share/ovirt-server/ipa-admin.tab"
+ system("/usr/kerberos/bin/kinit admin -k -t
#{admin_keytab}")
+ add_principal(libvirt_princ)
+ get_keytab(libvirt_princ,ipa_host)
+ add_principal(qpidd_princ)
+ get_keytab(qpidd_princ,ipa_host)
File.chmod(0644, at keytab_filename)
end
@@ -367,8 +378,12 @@ class HostBrowser
# Executes an external program to support the keytab function.
#
- def kadmin_local(command)
- system("/usr/kerberos/sbin/kadmin.local -q '" + command +
"'")
+ def add_principal(command)
+ system("/usr/sbin/ipa-addservice #{command}")
+ end
+
+ def get_keytab(command,ipa_host)
+ system("ipa-getkeytab -s #{ipa_host} -p #{command} -k
#{@keytab_filename}")
end
end
--
1.6.0.6
Possibly Parallel Threads
- [PATCH server] Added support for remote logging with rsyslog-gssapi to server.
- Aix 7.1 + Samba 3.60 + W2003 AD can not access shares
- [PATCH server] add server-side groundwork for remote freeipa server
- Error: client not found in kerberos database while initializing kadmin interface
- 6403208 kadmin.local -q ''cpw -randkey <princ>'' not using all supported enctypes