remove Kerberos authenticators when installing/uninstalling service instance

each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall

https://fedorahosted.org/freeipa/ticket/5243

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Martin Babinsky 2015-10-09 18:08:38 +02:00 committed by Martin Basti
parent 0152d16820
commit 117bf5af8c
7 changed files with 56 additions and 8 deletions

View File

@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service):
self.print_msg("Cannot add CIFS service: %s" % e)
self.clean_samba_keytab()
installutils.remove_ccache(paths.KRB5CC_SAMBA)
try:
ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service):
self.print_msg('WARNING: ' + str(e))
# Remove samba's credentials cache
krb5cc_samba = paths.KRB5CC_SAMBA
installutils.remove_file(krb5cc_samba)
installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
# Remove samba's configuration file
installutils.remove_file(self.smb_conf)

View File

@ -1203,3 +1203,6 @@ class BindInstance(service.Service):
if named_regular_running:
self.named_regular.start()
installutils.remove_keytab(paths.NAMED_KEYTAB)
installutils.remove_ccache(run_as='named')

View File

@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service):
def __setup_principal(self):
assert self.ods_gid is not None
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dnssynckey_principal)
@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service):
os.remove(paths.DNSSEC_SOFTHSM_PIN)
except Exception:
pass
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)

View File

@ -937,8 +937,8 @@ class DsInstance(service.Service):
root_logger.debug("Removing DS instance %s" % serverid)
try:
remove_ds_instance(serverid)
root_logger.debug("Removing DS keytab")
installutils.remove_file(paths.DS_KEYTAB)
installutils.remove_keytab(paths.DS_KEYTAB)
installutils.remove_ccache(run_as=DS_USER)
except ipautil.CalledProcessError:
root_logger.error("Failed to remove DS instance. You may "
"need to remove instance data manually")

View File

@ -187,6 +187,7 @@ class HTTPInstance(service.Service):
def __create_http_keytab(self):
if not self.promote:
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.kadmin_addprinc(self.principal)
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal)
@ -198,7 +199,8 @@ class HTTPInstance(service.Service):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
ipautil.run(
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@ -497,9 +499,9 @@ class HTTPInstance(service.Service):
root_logger.debug(error)
pass
# Remove the ccache file for the HTTPD service
ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER,
raiseonerr=False)
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
run_as=HTTPD_USER)
# Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)

View File

@ -20,6 +20,7 @@
from __future__ import absolute_import
from __future__ import print_function
import errno
import socket
import getpass
import gssapi
@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser):
for dn in remaining_changes:
root_logger.error(
"DN: %s does not exists or haven't been updated", dn)
def remove_keytab(keytab_path):
"""
Remove Kerberos keytab and issue a warning if the procedure fails
:param keytab_path: path to the keytab file
"""
try:
root_logger.debug("Removing service keytab: {}".format(keytab_path))
os.remove(keytab_path)
except OSError as e:
if e.errno != errno.ENOENT:
root_logger.warning("Failed to remove Kerberos keytab '{}': "
"{}".format(keytab_path, e))
root_logger.warning("You may have to remove it manually")
def remove_ccache(ccache_path=None, run_as=None):
"""
remove Kerberos credential cache, essentially a wrapper around kdestroy.
:param ccache_path: path to the ccache file
:param run_as: run kdestroy as this user
"""
root_logger.debug("Removing service credentials cache")
kdestroy_cmd = [paths.KDESTROY]
if ccache_path is not None:
root_logger.debug("Ccache path: '{}'".format(ccache_path))
kdestroy_cmd.extend(['-c', ccache_path])
try:
ipautil.run(kdestroy_cmd, runas=run_as, env={})
except ipautil.CalledProcessError as e:
root_logger.warning(
"Failed to clear Kerberos credentials cache: {}".format(e))

View File

@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service):
if signerd_running:
signerd_service.start()
installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)