mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Clear kernel keyring in client installer, save dbdir on new connections
This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
This commit is contained in:
parent
9c0426c3ed
commit
5bf1cee702
@ -42,6 +42,8 @@ try:
|
||||
from ipalib import api, errors
|
||||
from ipapython.dn import DN
|
||||
from ipapython.ssh import SSHPublicKey
|
||||
from ipapython import kernel_keyring
|
||||
from ipalib.rpc import COOKIE_NAME
|
||||
import SSSDConfig
|
||||
from ConfigParser import RawConfigParser
|
||||
from optparse import SUPPRESS_HELP, OptionGroup
|
||||
@ -1666,13 +1668,14 @@ def install(options, env, fstore, statestore):
|
||||
root_logger.info("Failed to add CA to the default NSS database.")
|
||||
return CLIENT_INSTALL_ERROR
|
||||
|
||||
host_principal = 'host/%s@%s' % (hostname, cli_realm)
|
||||
if options.on_master:
|
||||
# If on master assume kerberos is already configured properly.
|
||||
# Get the host TGT.
|
||||
os.environ['KRB5CCNAME'] = CCACHE_FILE
|
||||
try:
|
||||
run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
|
||||
'host/%s@%s' % (hostname, cli_realm)])
|
||||
host_principal])
|
||||
except CalledProcessError, e:
|
||||
root_logger.error("Failed to obtain host TGT.")
|
||||
return CLIENT_INSTALL_ERROR
|
||||
@ -1693,6 +1696,12 @@ def install(options, env, fstore, statestore):
|
||||
root_logger.info(
|
||||
"Configured /etc/krb5.conf for IPA realm %s", cli_realm)
|
||||
|
||||
# Clear out any current session keyring information
|
||||
try:
|
||||
kernel_keyring.del_key(COOKIE_NAME % host_principal)
|
||||
except ValueError:
|
||||
pass
|
||||
|
||||
# Now, let's try to connect to the server's XML-RPC interface
|
||||
try:
|
||||
api.Backend.xmlclient.connect()
|
||||
|
@ -546,8 +546,23 @@ class xmlclient(Connectible):
|
||||
# This shouldn't happen if we have a session but
|
||||
# it isn't fatal.
|
||||
pass
|
||||
|
||||
# Create a new serverproxy with the non-session URI. If there
|
||||
# is an existing connection we need to save the NSS dbdir so
|
||||
# we can skip an unnecessary NSS_Initialize() and avoid
|
||||
# NSS_Shutdown issues.
|
||||
serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
|
||||
|
||||
dbdir = None
|
||||
current_conn = getattr(context, self.id, None)
|
||||
if current_conn is not None:
|
||||
dbdir = getattr(current_conn.conn._ServerProxy__transport, 'dbdir', None)
|
||||
if dbdir is not None:
|
||||
self.debug('Using dbdir %s' % dbdir)
|
||||
setattr(context, self.id, Connection(serverproxy, self.disconnect))
|
||||
if dbdir is not None:
|
||||
current_conn = getattr(context, self.id, None)
|
||||
current_conn.conn._ServerProxy__transport.dbdir = dbdir
|
||||
return self.forward(name, *args, **kw)
|
||||
raise NetworkError(uri=server, error=e.errmsg)
|
||||
except socket.error, e:
|
||||
|
Loading…
Reference in New Issue
Block a user