Bug 864889
| Summary: | Configure winbind_krb5_locator.so via alternatives to allow IPA AD trusts use | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Alexander Bokovoy <abokovoy> | ||||
| Component: | samba4 | Assignee: | Andreas Schneider <asn> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | asn, sbose, tlavigne | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | samba4-4.0.0-52.el6.rc4 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 864950 (view as bug list) | Environment: | |||||
| Last Closed: | 2013-02-21 08:36:35 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 864950 | ||||||
| Attachments: |
|
||||||
Created attachment 624780 [details]
patch to introduce alternatives for winbind_krb5_locator.so
This is spec change that is needed to allow disabling winbind_krb5_locator.so plugin when trusts are in use on the server. Since libkrb5 reads any file in its plugins directory, keeping disabled plugin there is not an option, so I moved it back to %_libdir and used alternatives instead.
When trusts package (ipa-server-trust-ad) is installed, it will alternate to /dev/null for this plugin (link in plugins dir will point to /etc/alternatives/winbind_krb5_locator.so which will point to /dev/null). This will make libkrb5 to effectively ignore the plugin.
When trusts package is uninstalled, samba4 package will automatically be selected as a provider for the winbind_krb5_locator.so and will redirect the link to %_libdir/winbind_krb5_locator.so which is happily used by libkrb5
There is a typo in post uninstall script. Fixed postun script. Fixed another typo in postun script. Installed ipa-server-trust-ad, and verified the # yum install ipa-server-trust-ad # find / -name winbind_krb5_locator.so -print /var/lib/alternatives/winbind_krb5_locator.so /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so /etc/alternatives/winbind_krb5_locator.so # ls -l /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so lrwxrwxrwx. 1 root root 41 Jan 28 11:08 /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so -> /etc/alternatives/winbind_krb5_locator.so Next uninstalled ipa-server-ad.... # yum remove ipa-server-trust-ad # find / -name winbind_krb5_locator.so -print <Nothing listed> Ques: Does this verify the bz? Not sure how to verify the part "When trusts package is uninstalled, samba4 package will automatically be selected as a provider for the winbind_krb5_locator.so and will redirect the link to %_libdir/winbind_krb5_locator.so which is happily used by libkrb5" There is also a samba4-winbind-krb5-locator plugin. If you install samba4-winbind-krb5-locator and ipa-server-trust-ad then the locator plugin should be the one from IPA. If both are installed and you uninstall ipa-server-trust-ad the samba4-winbind-krb5-locator plugin should be linked again. # rpm -qa | grep samba samba4-common-4.0.0-55.el6.rc4.x86_64 samba4-python-4.0.0-55.el6.rc4.x86_64 samba4-libs-4.0.0-55.el6.rc4.x86_64 samba4-winbind-4.0.0-55.el6.rc4.x86_64 samba4-4.0.0-55.el6.rc4.x86_64 samba4-winbind-krb5-locator-4.0.0-55.el6.rc4.x86_64 After uninstalling ipa-server-trust-ad: # ls -l /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so lrwxrwxrwx. 1 root root 41 Jan 28 13:26 /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so -> /etc/alternatives/winbind_krb5_locator.so With ipa-server-trust-ad and samba4-winbind-krb5-locator installed, then uninstalled ipa-server-trust-ad.... # find / -name winbind_krb5_locator.so -print /var/lib/alternatives/winbind_krb5_locator.so /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so /usr/lib64/winbind_krb5_locator.so /etc/alternatives/winbind_krb5_locator.so # ls -l /usr/lib64/winbind_krb5_locator.so -rwxr-xr-x. 1 root root 6000 Jan 23 05:55 /usr/lib64/winbind_krb5_locator.so # ls -l /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so lrwxrwxrwx. 1 root root 41 Jan 28 13:26 /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so -> /etc/alternatives/winbind_krb5_locator.so Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0506.html |
Description of problem: On IPA server when AD trusts feature is enabled, winbind_krb5_locator.so plugin should not be available to libkrb5. This could be achieved by requiring that samba{,4}-winbind-krb5-locator package is never installed when ipa-server-trust-ad package is installed but much easier to automatically configure through alternatives. Without this fix winbind_krb5_locator.so plugin to libkrb5 will interfere with winbindd configuration for IPA AD trusts, rendering them unusable.