mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
remove Kerberos authenticators when installing/uninstalling service instance
each service possessing Kerberos keytab/ccache will now perform their removal before service principal creation and during service uninstall https://fedorahosted.org/freeipa/ticket/5243 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
parent
0152d16820
commit
117bf5af8c
@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service):
|
||||
self.print_msg("Cannot add CIFS service: %s" % e)
|
||||
|
||||
self.clean_samba_keytab()
|
||||
installutils.remove_ccache(paths.KRB5CC_SAMBA)
|
||||
|
||||
try:
|
||||
ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
|
||||
@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service):
|
||||
self.print_msg('WARNING: ' + str(e))
|
||||
|
||||
# Remove samba's credentials cache
|
||||
krb5cc_samba = paths.KRB5CC_SAMBA
|
||||
installutils.remove_file(krb5cc_samba)
|
||||
installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
|
||||
|
||||
# Remove samba's configuration file
|
||||
installutils.remove_file(self.smb_conf)
|
||||
|
@ -1203,3 +1203,6 @@ class BindInstance(service.Service):
|
||||
|
||||
if named_regular_running:
|
||||
self.named_regular.start()
|
||||
|
||||
installutils.remove_keytab(paths.NAMED_KEYTAB)
|
||||
installutils.remove_ccache(run_as='named')
|
||||
|
@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service):
|
||||
|
||||
def __setup_principal(self):
|
||||
assert self.ods_gid is not None
|
||||
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
|
||||
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
|
||||
installutils.kadmin_addprinc(dnssynckey_principal)
|
||||
|
||||
@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service):
|
||||
os.remove(paths.DNSSEC_SOFTHSM_PIN)
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
|
||||
|
@ -937,8 +937,8 @@ class DsInstance(service.Service):
|
||||
root_logger.debug("Removing DS instance %s" % serverid)
|
||||
try:
|
||||
remove_ds_instance(serverid)
|
||||
root_logger.debug("Removing DS keytab")
|
||||
installutils.remove_file(paths.DS_KEYTAB)
|
||||
installutils.remove_keytab(paths.DS_KEYTAB)
|
||||
installutils.remove_ccache(run_as=DS_USER)
|
||||
except ipautil.CalledProcessError:
|
||||
root_logger.error("Failed to remove DS instance. You may "
|
||||
"need to remove instance data manually")
|
||||
|
@ -187,6 +187,7 @@ class HTTPInstance(service.Service):
|
||||
|
||||
def __create_http_keytab(self):
|
||||
if not self.promote:
|
||||
installutils.remove_keytab(paths.IPA_KEYTAB)
|
||||
installutils.kadmin_addprinc(self.principal)
|
||||
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
|
||||
self.move_service(self.principal)
|
||||
@ -198,7 +199,8 @@ class HTTPInstance(service.Service):
|
||||
# Clean up existing ccache
|
||||
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
|
||||
# current env
|
||||
ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
|
||||
ipautil.run(
|
||||
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
|
||||
|
||||
def __configure_http(self):
|
||||
target_fname = paths.HTTPD_IPA_CONF
|
||||
@ -497,9 +499,9 @@ class HTTPInstance(service.Service):
|
||||
root_logger.debug(error)
|
||||
pass
|
||||
|
||||
# Remove the ccache file for the HTTPD service
|
||||
ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER,
|
||||
raiseonerr=False)
|
||||
installutils.remove_keytab(paths.IPA_KEYTAB)
|
||||
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
|
||||
run_as=HTTPD_USER)
|
||||
|
||||
# Remove the configuration files we create
|
||||
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
|
||||
|
@ -20,6 +20,7 @@
|
||||
from __future__ import absolute_import
|
||||
from __future__ import print_function
|
||||
|
||||
import errno
|
||||
import socket
|
||||
import getpass
|
||||
import gssapi
|
||||
@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser):
|
||||
for dn in remaining_changes:
|
||||
root_logger.error(
|
||||
"DN: %s does not exists or haven't been updated", dn)
|
||||
|
||||
|
||||
def remove_keytab(keytab_path):
|
||||
"""
|
||||
Remove Kerberos keytab and issue a warning if the procedure fails
|
||||
|
||||
:param keytab_path: path to the keytab file
|
||||
"""
|
||||
try:
|
||||
root_logger.debug("Removing service keytab: {}".format(keytab_path))
|
||||
os.remove(keytab_path)
|
||||
except OSError as e:
|
||||
if e.errno != errno.ENOENT:
|
||||
root_logger.warning("Failed to remove Kerberos keytab '{}': "
|
||||
"{}".format(keytab_path, e))
|
||||
root_logger.warning("You may have to remove it manually")
|
||||
|
||||
|
||||
def remove_ccache(ccache_path=None, run_as=None):
|
||||
"""
|
||||
remove Kerberos credential cache, essentially a wrapper around kdestroy.
|
||||
|
||||
:param ccache_path: path to the ccache file
|
||||
:param run_as: run kdestroy as this user
|
||||
"""
|
||||
root_logger.debug("Removing service credentials cache")
|
||||
kdestroy_cmd = [paths.KDESTROY]
|
||||
if ccache_path is not None:
|
||||
root_logger.debug("Ccache path: '{}'".format(ccache_path))
|
||||
kdestroy_cmd.extend(['-c', ccache_path])
|
||||
|
||||
try:
|
||||
ipautil.run(kdestroy_cmd, runas=run_as, env={})
|
||||
except ipautil.CalledProcessError as e:
|
||||
root_logger.warning(
|
||||
"Failed to clear Kerberos credentials cache: {}".format(e))
|
||||
|
@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service):
|
||||
|
||||
if signerd_running:
|
||||
signerd_service.start()
|
||||
|
||||
installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
|
||||
installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)
|
||||
|
Loading…
Reference in New Issue
Block a user