ipa-restore must stop tracking PKINIT cert in the preparation phase

ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2017-01-20 08:33:22 +01:00 committed by Martin Babinsky
parent 26630db9d0
commit ceec512b09

View File

@ -41,7 +41,7 @@ from ipaserver.install.cainstance import create_ca_user
from ipaserver.install.replication import (wait_for_task, ReplicationManager,
get_cs_replication_manager)
from ipaserver.install import installutils
from ipaserver.install import dsinstance, httpinstance, cainstance
from ipaserver.install import dsinstance, httpinstance, cainstance, krbinstance
from ipapython import ipaldap
import ipapython.errors
from ipaplatform.constants import constants
@ -821,6 +821,8 @@ class Restore(admintool.AdminTool):
# When IPA is not installed, DS NSS DB does not exist
pass
krbinstance.KrbInstance().stop_tracking_certs()
for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'):
filename = os.path.join(paths.IPA_NSSDB_DIR, basename)
try: