Try to catch more error conditions during installation

Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2025-02-25 18:55:28 -06:00 · 2007-10-03 17:37:13 -04:00 · 2007-10-03 17:37:13 -04:00 · 53e872fb72
commit 53e872fb72
parent 1cef67e2e1
6 changed files with 124 additions and 44 deletions
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@ -144,3 +144,8 @@ CONNECTION_NO_CCACHE = gen_error_code(
        CONNECTION_CATEGORY,
        0x0002,
        "No Kerberos credentials cache is available. Connection cannot be made.")
+
+CONNECTION_GSSAPI_CREDENTIALS = gen_error_code(
+        CONNECTION_CATEGORY,
+        0x0003,
+        "GSSAPI Authorization error")
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@ -34,6 +34,7 @@ import socket
 import logging
 import pwd
 import getpass
+import subprocess
 import signal
 import shutil
 import glob
@ -430,36 +431,46 @@ def main():
    ds.restart()
    krb.restart()

-    # Allow apache to connect to the turbogears web gui
    try:
-        run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
-    except:
-        # SELinux may be disabled
-        pass
+        selinux=0
+        try:
+            if (os.path.exists('/usr/sbin/selinuxenabled')):
+                run(["/usr/sbin/selinuxenabled"])
+                selinux=1
+        except subprocess.CalledProcessError, e:
+            # selinuxenabled returns 1 if not enabled
+            pass

-    # Start the web gui
-    run(["/sbin/service", "ipa-webgui", "start"])
+        if selinux:
+            # Allow apache to connect to the turbogears web gui
+            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])

-    # Set the web gui to start on boot
-    run(["/sbin/chkconfig", "ipa-webgui", "on"])
+        # Start the web gui
+        run(["/sbin/service", "ipa-webgui", "start"])

-    # Restart apache
-    run(["/sbin/service", "httpd", "restart"])
+        # Set the web gui to start on boot
+        run(["/sbin/chkconfig", "ipa-webgui", "on"])

-    # Set apache to start on boot
-    run(["/sbin/chkconfig", "httpd", "on"])
+        # Restart apache
+        run(["/sbin/service", "httpd", "restart"])

-    # Set fedora-ds to start on boot
-    run(["/sbin/chkconfig", "dirsrv", "on"])
+        # Set apache to start on boot
+        run(["/sbin/chkconfig", "httpd", "on"])

-    # Set the KDC to start on boot
-    run(["/sbin/chkconfig", "krb5kdc", "on"])
+        # Set fedora-ds to start on boot
+        run(["/sbin/chkconfig", "dirsrv", "on"])

-    # Set the Kpasswd to start on boot
-    run(["/sbin/chkconfig", "ipa-kpasswd", "on"])
+        # Set the KDC to start on boot
+        run(["/sbin/chkconfig", "krb5kdc", "on"])

-    # Start Kpasswd
-    run(["/sbin/service", "ipa-kpasswd", "start"])
+        # Set the Kpasswd to start on boot
+        run(["/sbin/chkconfig", "ipa-kpasswd", "on"])
+
+        # Start Kpasswd
+        run(["/sbin/service", "ipa-kpasswd", "start"])
+    except subprocess.CalledProcessError, e:
+        print "Installation failed:", e
+        return 1

    # Set the admin user kerberos password
    ds.change_admin_password(admin_password)
--- a/ipa-server/ipaserver/bindinstance.py
+++ b/ipa-server/ipaserver/bindinstance.py
@ -68,7 +68,10 @@ class BindInstance:
        self.__setup_zone()
        self.__setup_named_conf()

-        self.start()
+        try:
+            self.start()
+        except:
+            print "named service failed to start"

    def stop(self):
        run(["/sbin/service", "named", "stop"])
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@ -91,7 +91,11 @@ class DsInstance:
        self.__add_default_schemas()
        self.__enable_ssl()
        self.__certmap_conf()
-        self.restart()
+        try:
+            self.restart()
+        except:
+            # TODO: roll back here?
+            print "Failed to restart the ds instance"
        self.__add_default_layout()
        self.__create_test_users()

@ -126,8 +130,12 @@ class DsInstance:
 	except KeyError:
            logging.debug("adding ds user %s" % self.ds_user)
            args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
-            run(args)
-            logging.debug("done adding user")
+            try:
+                run(args)
+                logging.debug("done adding user")
+            except subprocess.CalledProcessError, e:
+                print "Failed to add user", e
+                logging.debug("failed to add user %s" % e)

    def __create_instance(self):
        logging.debug("creating ds instance . . . ")
@ -141,11 +149,19 @@ class DsInstance:
        else:
            args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
            logging.debug("calling ds_newinst.pl")
-        run(args)
-        logging.debug("completed creating ds instance")
+        try:
+            run(args)
+            logging.debug("completed creating ds instance")
+        except subprocess.CalledProcessError, e:
+            print "failed to restart ds instance", e
+            logging.debug("failed to restart ds instance %s" % e)
        logging.debug("restarting ds instance")
-        self.restart()
-        logging.debug("done restarting ds instance")
+        try:
+            self.restart()
+            logging.debug("done restarting ds instance")
+        except subprocess.CalledProcessError, e:
+            print "failed to restart ds instance", e
+            logging.debug("failed to restart ds instance %s" % e)

    def __add_default_schemas(self):
        shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
@ -158,8 +174,12 @@ class DsInstance:
        dirname = self.config_dirname()
        args = ["/usr/share/ipa/ipa-server-setupssl", self.dm_password,
                dirname, self.host_name]
-        run(args)
-        logging.debug("done configuring ssl for ds instance")
+        try:
+            run(args)
+            logging.debug("done configuring ssl for ds instance")
+        except subprocess.CalledProcessError, e:
+            print "Failed to enable ssl in ds instance", e
+            logging.debug("Failed to configure ssl in ds instance %s" % e)
        
    def __add_default_layout(self):
        txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
@ -167,8 +187,12 @@ class DsInstance:
        logging.debug("adding default ds layout")
        args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
                "-w", self.dm_password, "-f", inf_fd.name]
-        run(args)
-        logging.debug("done adding default ds layout")
+        try:
+            run(args)
+            logging.debug("done adding default ds layout")
+        except subprocess.CalledProcessError, e:
+            print "Failed to add default ds layout", e
+            logging.debug("Failed to add default ds layout %s" % e)
        
    def __create_test_users(self):
        logging.debug("create test users ldif")
@ -194,6 +218,10 @@ class DsInstance:
                "-D", "cn=Directory Manager", "-w", self.dm_password,
                "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
                "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
-        run(args)
-        logging.debug("ldappasswd done")
+        try:
+            run(args)
+            logging.debug("ldappasswd done")
+        except subprocess.CalledProcessError, e:
+            print "Unable to set admin password", e
+            logging.debug("Unable to set admin password %s" % e)

--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@ -74,7 +74,11 @@ class KrbInstance:
 	self.suffix = realm_to_suffix(self.realm)
        self.kdc_password = generate_kdc_password()

-        self.stop()
+        try:
+            self.stop()
+        except:
+            # It could have been not running
+            pass

 	self.__configure_kdc_account_password()

@ -94,7 +98,10 @@ class KrbInstance:

        self.__add_pwd_extop_module()

-        self.start()
+        try:
+            self.start()
+        except:
+            print "krb5kdc service failed to start"

    def stop(self):
        run(["/sbin/service", "krb5kdc", "stop"])
@ -127,13 +134,19 @@ class KrbInstance:
 	#TODO: test that the ldif is ok with any random charcter we may use in the password
        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
        kerberos_fd = write_tmp_file(kerberos_txt)
-        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load kerberos.ldif", e
        kerberos_fd.close()

 	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
        aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
        aci_fd = write_tmp_file(aci_txt) 
-        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load default-aci.ldif", e
        aci_fd.close()

    def __create_instance(self):
@ -149,20 +162,33 @@ class KrbInstance:

        #populate the directory with the realm structure
        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
-        run(args)
+        try:
+            run(args)
+        except subprocess.CalledProcessError, e:
+            print "Failed to populate the realm structure in kerberos", e

    #add the password extop module
    def __add_pwd_extop_module(self):
        extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
        extop_fd = write_tmp_file(extop_txt)
-        ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load pwd-extop-conf.ldif", e
        extop_fd.close()

        #add an ACL to let the DS user read the master key
        args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
-        run(args)
+        try:
+            run(args)
+        except subprocess.CalledProcessError, e:
+            print "Failed to set the ACL on the master key", e

    def __create_ds_keytab(self):
+        try:
+            os.remove("/etc/dirsrv/ds.keytab")
+        except os.OSError:
+            print "Failed to remove /etc/dirsrv/ds.keytab."
        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
        kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
        kwrite.flush()
@ -218,6 +244,10 @@ class KrbInstance:
        os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid)

    def __create_http_keytab(self):
+        try:
+            os.remove("/etc/httpd/conf/ipa.keytab")
+        except os.OSError:
+            print "Failed to remove /etc/httpd/conf/ipa.keytab."
        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
        kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
        kwrite.flush()
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@ -69,7 +69,7 @@ class IPAConnPool:
        if conn is None:
            return
        # We can't re-use SASL connections. If proxydn is None it means
-        # we have a Kerberos credentails cache set. See ipaldap.set_krbccache
+        # we have a Kerberos credentials cache set. See ipaldap.set_krbccache
        if conn.proxydn is None:
            conn.unbind_s()
        else:
@ -168,7 +168,10 @@ class IPAServer:
        else:
            raise ipaerror.gen_exception(ipaerror.CONNECTION_NO_CCACHE)

-        conn = _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache,debug)
+        try:
+            conn = _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache,debug)
+        except ldap.INVALID_CREDENTIALS, e:
+            raise ipaerror.gen_exception(ipaerror.CONNECTION_GSSAPI_CREDENTIALS, nested_exception=e)

        if conn is None:
            raise ipaerror.gen_exception(ipaerror.CONNECTION_NO_CONN)