improve the handling of krb5-related errors in dnssec daemons

ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-18 18:33:37 +02:00
parent 27988f1b83
commit 3506938a75
3 changed files with 20 additions and 4 deletions
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -12,6 +12,7 @@ from binascii import hexlify
 from datetime import datetime
 import dns.dnssec
 import fcntl
+from krbV import Krb5Error
 import logging
 import os
 from pprint import pprint
@@ -141,7 +142,14 @@ log.setLevel(level=logging.DEBUG)
 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
 ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
-ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename)
+
+try:
+    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB,
+                         ccache_filename, attempts=5)
+except Krb5Error as e:
+    log.critical('Kerberos authentication failed: %s', e)
+    sys.exit(1)
+
 os.environ['KRB5CCNAME'] = ccache_filename
 log.debug('Got TGT')

--- a/daemons/dnssec/ipa-dnskeysyncd
+++ b/daemons/dnssec/ipa-dnskeysyncd
@@ -66,9 +66,9 @@ PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
 ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
 try:
-    ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)
+    ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)
 except Exception as ex:
-    log.critical(ex)
+    log.critical("Kerberos authentication failed: %s", ex)
    # signal failure and let init system to restart the daemon
    sys.exit(1)
 os.environ['KRB5CCNAME'] = ccache_filename
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -20,6 +20,7 @@ from datetime import datetime
 import dateutil.tz
 import dns.dnssec
 import fcntl
+from krbV import Krb5Error
 import logging
 import os
 import subprocess
@@ -482,7 +483,14 @@ ipalib.api.finalize()
 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
 ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
-ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name)
+
+try:
+    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
+                         attempts=5)
+except Krb5Error as e:
+    log.critical('Kerberos authentication failed: %s', e)
+    sys.exit(1)
+
 os.environ['KRB5CCNAME'] = ccache_name
 log.debug('Got TGT')