Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf

The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.

The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.

https://fedorahosted.org/freeipa/ticket/2341
This commit is contained in:
Rob Crittenden 2012-02-13 09:16:26 -05:00 committed by Martin Kosek
parent fc2de93035
commit 95b1848f19
2 changed files with 76 additions and 1 deletions

View File

@ -440,6 +440,19 @@ if [ "$1" -ge "1" ]; then
%endif
fi
%pre server
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
# zombie process when we're done.
if [ -e /usr/sbin/ipa_kpasswd ]; then
%if 0%{?fedora} >= 16
# Use systemd scheme
/bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
%else
# Use SystemV scheme only before F16
/sbin/service ipa_kpasswd stop >/dev/null 2>&1 || :
%endif
fi
%pre server-selinux
if [ -s /etc/selinux/config ]; then
. %{_sysconfdir}/selinux/config

View File

@ -29,6 +29,7 @@ try:
from ipaserver.install import installutils
from ipaserver.install import dsinstance
from ipaserver.install import httpinstance
from ipaserver.install import service
import krbV
import re
import os
@ -43,6 +44,25 @@ error was:
""" % sys.exc_value
sys.exit(1)
class KpasswdInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_kpasswd")
def uninstall_ipa_kpasswd():
"""
We can't use the full service uninstaller because that will attempt
to stop and disable the service which by now doesn't exist. We just
want to clean up sysrestore.state to remove all references to
ipa_kpasswd.
"""
ipa_kpasswd = KpasswdInstance()
running = ipa_kpasswd.restore_state("running")
enabled = not ipa_kpasswd.restore_state("enabled")
if enabled is not None and not enabled:
ipa_kpasswd.remove()
def backup_file(filename, ext):
"""Make a backup of filename using ext as the extension. Do not overwrite
previous backups."""
@ -119,7 +139,7 @@ def upgrade(sub_dict, filename, template, add=False):
if new < 0:
print "%s not found." % template
if old < new or add:
if old < new or (add and old == 0):
backup_file(filename, new)
update_conf(sub_dict, filename, template)
print "Upgraded %s to version %d" % (filename, new)
@ -157,6 +177,46 @@ def upgrade_pki():
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
def update_dbmodules(realm, filename="/etc/krb5.conf"):
newfile = []
found_dbrealm = False
found_realm = False
prefix = ''
st = os.stat(filename)
fd = open(filename)
lines = fd.readlines()
fd.close()
if ' db_library = ipadb.so\n' in lines:
# Already updated
return
for line in lines:
if line.startswith('[dbmodules]'):
found_dbrealm = True
if found_dbrealm and line.find(realm) > -1:
found_realm = True
prefix = '#'
if found_dbrealm and line.find('}') > -1 and found_realm:
found_realm = False
newfile.append('#%s' % line)
prefix = ''
continue
newfile.append('%s%s' % (prefix, line))
# Append updated dbmodules information
newfile.append(' %s = {\n' % realm)
newfile.append(' db_library = ipadb.so\n')
newfile.append(' }\n')
# Write out new file
fd = open(filename, 'w')
fd.write("".join(newfile))
fd.close()
def main():
"""
Get some basics about the system. If getting those basics fail then
@ -188,6 +248,8 @@ def main():
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
upgrade_pki()
update_dbmodules(krbctx.default_realm)
uninstall_ipa_kpasswd()
try:
if __name__ == "__main__":
sys.exit(main())