domain-level agnostic keytab retrieval in httpinstance

apache keytab is now retrieved using the same method in both domain levels. The difference lies in the authentication scheme used to retrieve service keytab: * in DL0 passed in DM credentials are used * in DL1 GSSAPI is used https://fedorahosted.org/freeipa/ticket/6405 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-04 14:58:42 +01:00
parent 4e97a0171a
commit 73fc15556d
2 changed files with 4 additions and 30 deletions
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -119,11 +119,13 @@ class WebGuiInstance(service.SimpleServiceInstance):
        service.SimpleServiceInstance.__init__(self, "ipa_webgui")

 class HTTPInstance(service.Service):
-    def __init__(self, fstore=None, cert_nickname='Server-Cert'):
+    def __init__(self, fstore=None, cert_nickname='Server-Cert',
+                 api=api):
        super(HTTPInstance, self).__init__(
            "httpd",
            service_desc="the web interface",
            fstore=fstore,
+            api=api,
            service_prefix=u'HTTP',
            service_user=HTTPD_USER,
            keytab=paths.IPA_KEYTAB)
@@ -167,7 +169,7 @@ class HTTPInstance(service.Service):
        if self.ca_is_configured:
            self.step("configure certmonger for renewals",
                      self.configure_certmonger_renewal_guard)
-        self.step("setting up httpd keytab", self.__create_http_keytab)
+        self.step("setting up httpd keytab", self._request_service_keytab)
        self.step("setting up ssl", self.__setup_ssl)
        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
        self.step("publish CA cert", self.__publish_ca_cert)
@@ -201,16 +203,6 @@ class HTTPInstance(service.Service):
        except ipapython.errors.SetseboolError as e:
            self.print_msg(e.format_service_warning('web interface'))

-    def __create_http_keytab(self):
-        if not self.promote:
-            installutils.remove_keytab(self.keytab)
-            installutils.kadmin_addprinc(self.principal)
-            installutils.create_keytab(self.keytab, self.principal)
-            self.move_service(self.principal)
-
-        pent = pwd.getpwnam(self.service_user)
-        os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
-
    def remove_httpd_ccache(self):
        # Clean up existing ccache
        # Make sure that empty env is passed to avoid passing KRB5CCNAME from
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -76,23 +76,6 @@ def make_pkcs12_info(directory, cert_name, password_name):
        return None


-def install_http_keytab(config, fstore, remote_api):
-
-    # Obtain keytab for the HTTP service
-    fstore.backup_file(paths.IPA_KEYTAB)
-    try:
-        os.unlink(paths.IPA_KEYTAB)
-    except OSError:
-        pass
-
-    principal = 'HTTP/%s@%s' % (config.host_name, config.realm_name)
-    installutils.install_service_keytab(remote_api,
-                                        principal,
-                                        config.master_host_name,
-                                        paths.IPA_KEYTAB,
-                                        force_service_add=True)
-
-
 def install_http_certs(host_name, realm_name, subject_base):
    principal = 'HTTP/%s@%s' % (host_name, realm_name)
    # Obtain certificate for the HTTP service
@@ -1351,7 +1334,6 @@ def install(installer):

        if promote:
            # we need to install http certs to setup ssl for httpd
-            install_http_keytab(config, fstore, remote_api)
            install_http_certs(config.host_name,
                               config.realm_name,
                               config.subject_base)