mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
improve the handling of krb5-related errors in dnssec daemons
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Martin Babinsky
committed by
Martin Basti
Martin Basti
parent
9ca156c859
commit
a9f010fc28
@@ -12,6 +12,7 @@ from binascii import hexlify
|
|||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
import dns.dnssec
|
import dns.dnssec
|
||||||
import fcntl
|
import fcntl
|
||||||
|
from krbV import Krb5Error
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
from pprint import pprint
|
from pprint import pprint
|
||||||
@@ -141,7 +142,14 @@ log.setLevel(level=logging.DEBUG)
|
|||||||
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
|
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
|
||||||
log.debug('Kerberos principal: %s', PRINCIPAL)
|
log.debug('Kerberos principal: %s', PRINCIPAL)
|
||||||
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
|
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
|
||||||
ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename)
|
|
||||||
|
try:
|
||||||
|
ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB,
|
||||||
|
ccache_filename, attempts=5)
|
||||||
|
except Krb5Error as e:
|
||||||
|
log.critical('Kerberos authentication failed: %s', e)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
os.environ['KRB5CCNAME'] = ccache_filename
|
os.environ['KRB5CCNAME'] = ccache_filename
|
||||||
log.debug('Got TGT')
|
log.debug('Got TGT')
|
||||||
|
|
||||||
|
|||||||
@@ -66,9 +66,9 @@ PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
|
|||||||
log.debug('Kerberos principal: %s', PRINCIPAL)
|
log.debug('Kerberos principal: %s', PRINCIPAL)
|
||||||
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
|
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
|
||||||
try:
|
try:
|
||||||
ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)
|
ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)
|
||||||
except Exception as ex:
|
except Exception as ex:
|
||||||
log.critical(ex)
|
log.critical("Kerberos authentication failed: %s", ex)
|
||||||
# signal failure and let init system to restart the daemon
|
# signal failure and let init system to restart the daemon
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
os.environ['KRB5CCNAME'] = ccache_filename
|
os.environ['KRB5CCNAME'] = ccache_filename
|
||||||
|
|||||||
@@ -20,6 +20,7 @@ from datetime import datetime
|
|||||||
import dateutil.tz
|
import dateutil.tz
|
||||||
import dns.dnssec
|
import dns.dnssec
|
||||||
import fcntl
|
import fcntl
|
||||||
|
from krbV import Krb5Error
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
@@ -482,7 +483,14 @@ ipalib.api.finalize()
|
|||||||
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
|
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
|
||||||
log.debug('Kerberos principal: %s', PRINCIPAL)
|
log.debug('Kerberos principal: %s', PRINCIPAL)
|
||||||
ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
|
ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
|
||||||
ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name)
|
|
||||||
|
try:
|
||||||
|
ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
|
||||||
|
attempts=5)
|
||||||
|
except Krb5Error as e:
|
||||||
|
log.critical('Kerberos authentication failed: %s', e)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
os.environ['KRB5CCNAME'] = ccache_name
|
os.environ['KRB5CCNAME'] = ccache_name
|
||||||
log.debug('Got TGT')
|
log.debug('Got TGT')
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user