Stop requesting anonymous keytab and purge all references of it

anonymous kinit using keytab never worked so we may safely remove all code that requests/uses it. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-05 17:29:26 +02:00 · 2017-04-05 17:29:26 +02:00 · 68c6a4d4e1
commit 68c6a4d4e1
parent 3adb9ca875
4 changed files with 0 additions and 20 deletions
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -50,7 +50,6 @@ class BasePathNamespace(object):
    HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
    OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
    HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
-    ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
    HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
    IDMAPD_CONF = "/etc/idmapd.conf"
    ETC_IPA = "/etc/ipa"
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -30,7 +30,6 @@ import locale

 import six

-from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
 from ipaserver.install import service
 from ipaserver.install import certs
@ -42,7 +41,6 @@ from ipapython.ipa_log_manager import root_logger
 import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api
-from ipalib.constants import ANON_USER
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@ -158,7 +156,6 @@ class HTTPInstance(service.Service):
        self.step("adding URL rewriting rules", self.__add_include)
        self.step("configuring httpd", self.__configure_http)
        self.step("setting up httpd keytab", self.request_service_keytab)
-        self.step("retrieving anonymous keytab", self.request_anon_keytab)
        self.step("configuring Gssproxy", self.configure_gssproxy)
        self.step("setting up ssl", self.__setup_ssl)
        if self.ca_is_configured:
@ -304,20 +301,6 @@ class HTTPInstance(service.Service):
            if certmonger_stopped:
                certmonger.stop()

-    def request_anon_keytab(self):
-        parent = os.path.dirname(paths.ANON_KEYTAB)
-        if not os.path.exists(parent):
-            os.makedirs(parent, 0o755)
-
-        self.clean_previous_keytab(keytab=paths.ANON_KEYTAB)
-        self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER)
-
-        pent = pwd.getpwnam(IPAAPI_USER)
-        os.chmod(parent, 0o700)
-        os.chown(parent, pent.pw_uid, pent.pw_gid)
-
-        self.set_keytab_owner(keytab=paths.ANON_KEYTAB, owner=IPAAPI_USER)
-
    def create_password_conf(self):
        """
        This is the format of mod_nss pin files.
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@ -120,7 +120,6 @@ class Backup(admintool.AdminTool):
    )

    files = (
-        paths.ANON_KEYTAB,
        paths.NAMED_CONF,
        paths.NAMED_KEYTAB,
        paths.RESOLV_CONF,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1795,7 +1795,6 @@ def upgrade_configuration():
                        KDC_KEY=paths.KDC_KEY,
                        CACERT_PEM=paths.CACERT_PEM)
    krb.add_anonymous_principal()
-    http.request_anon_keytab()
    setup_pkinit(krb)

    if not ds_running: