remove Kerberos authenticators when installing/uninstalling service instance

each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall

https://fedorahosted.org/freeipa/ticket/5243

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Martin Babinsky 2015-10-09 18:08:38 +02:00 committed by Martin Basti
parent 0152d16820
commit 117bf5af8c
7 changed files with 56 additions and 8 deletions

View File

@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service):
self.print_msg("Cannot add CIFS service: %s" % e) self.print_msg("Cannot add CIFS service: %s" % e)
self.clean_samba_keytab() self.clean_samba_keytab()
installutils.remove_ccache(paths.KRB5CC_SAMBA)
try: try:
ipautil.run(["ipa-getkeytab", "--server", self.fqdn, ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service):
self.print_msg('WARNING: ' + str(e)) self.print_msg('WARNING: ' + str(e))
# Remove samba's credentials cache # Remove samba's credentials cache
krb5cc_samba = paths.KRB5CC_SAMBA installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
installutils.remove_file(krb5cc_samba)
# Remove samba's configuration file # Remove samba's configuration file
installutils.remove_file(self.smb_conf) installutils.remove_file(self.smb_conf)

View File

@ -1203,3 +1203,6 @@ class BindInstance(service.Service):
if named_regular_running: if named_regular_running:
self.named_regular.start() self.named_regular.start()
installutils.remove_keytab(paths.NAMED_KEYTAB)
installutils.remove_ccache(run_as='named')

View File

@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service):
def __setup_principal(self): def __setup_principal(self):
assert self.ods_gid is not None assert self.ods_gid is not None
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dnssynckey_principal) installutils.kadmin_addprinc(dnssynckey_principal)
@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service):
os.remove(paths.DNSSEC_SOFTHSM_PIN) os.remove(paths.DNSSEC_SOFTHSM_PIN)
except Exception: except Exception:
pass pass
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)

View File

@ -937,8 +937,8 @@ class DsInstance(service.Service):
root_logger.debug("Removing DS instance %s" % serverid) root_logger.debug("Removing DS instance %s" % serverid)
try: try:
remove_ds_instance(serverid) remove_ds_instance(serverid)
root_logger.debug("Removing DS keytab") installutils.remove_keytab(paths.DS_KEYTAB)
installutils.remove_file(paths.DS_KEYTAB) installutils.remove_ccache(run_as=DS_USER)
except ipautil.CalledProcessError: except ipautil.CalledProcessError:
root_logger.error("Failed to remove DS instance. You may " root_logger.error("Failed to remove DS instance. You may "
"need to remove instance data manually") "need to remove instance data manually")

View File

@ -187,6 +187,7 @@ class HTTPInstance(service.Service):
def __create_http_keytab(self): def __create_http_keytab(self):
if not self.promote: if not self.promote:
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.kadmin_addprinc(self.principal) installutils.kadmin_addprinc(self.principal)
installutils.create_keytab(paths.IPA_KEYTAB, self.principal) installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal) self.move_service(self.principal)
@ -198,7 +199,8 @@ class HTTPInstance(service.Service):
# Clean up existing ccache # Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from # Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env # current env
ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) ipautil.run(
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self): def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF target_fname = paths.HTTPD_IPA_CONF
@ -497,9 +499,9 @@ class HTTPInstance(service.Service):
root_logger.debug(error) root_logger.debug(error)
pass pass
# Remove the ccache file for the HTTPD service installutils.remove_keytab(paths.IPA_KEYTAB)
ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER, installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
raiseonerr=False) run_as=HTTPD_USER)
# Remove the configuration files we create # Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)

View File

@ -20,6 +20,7 @@
from __future__ import absolute_import from __future__ import absolute_import
from __future__ import print_function from __future__ import print_function
import errno
import socket import socket
import getpass import getpass
import gssapi import gssapi
@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser):
for dn in remaining_changes: for dn in remaining_changes:
root_logger.error( root_logger.error(
"DN: %s does not exists or haven't been updated", dn) "DN: %s does not exists or haven't been updated", dn)
def remove_keytab(keytab_path):
"""
Remove Kerberos keytab and issue a warning if the procedure fails
:param keytab_path: path to the keytab file
"""
try:
root_logger.debug("Removing service keytab: {}".format(keytab_path))
os.remove(keytab_path)
except OSError as e:
if e.errno != errno.ENOENT:
root_logger.warning("Failed to remove Kerberos keytab '{}': "
"{}".format(keytab_path, e))
root_logger.warning("You may have to remove it manually")
def remove_ccache(ccache_path=None, run_as=None):
"""
remove Kerberos credential cache, essentially a wrapper around kdestroy.
:param ccache_path: path to the ccache file
:param run_as: run kdestroy as this user
"""
root_logger.debug("Removing service credentials cache")
kdestroy_cmd = [paths.KDESTROY]
if ccache_path is not None:
root_logger.debug("Ccache path: '{}'".format(ccache_path))
kdestroy_cmd.extend(['-c', ccache_path])
try:
ipautil.run(kdestroy_cmd, runas=run_as, env={})
except ipautil.CalledProcessError as e:
root_logger.warning(
"Failed to clear Kerberos credentials cache: {}".format(e))

View File

@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service):
if signerd_running: if signerd_running:
signerd_service.start() signerd_service.start()
installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)