DNSSEC: remove ccache and keytab of ipa-ods-exporter

Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>

daemons/dnssec/ipa-ods-exporter

@@ -483,7 +483,7 @@ ipalib.api.finalize()
 # Kerberos initialization
 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
+ccache_name = paths.IPA_ODS_EXPORTER_CCACHE
 
 try:
     ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,

ipaplatform/base/paths.py

@@ -333,6 +333,7 @@ class BasePathNamespace(object):
     NAMED_RUN = "/var/named/data/named.run"
     VAR_OPENDNSSEC_DIR = "/var/opendnssec"
     OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
+    IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     KRB5CC_HTTPD = "/var/run/httpd/ipa/krbcache/krb5ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"

ipaserver/install/odsexporterinstance.py

@@ -93,6 +93,13 @@ class ODSExporterInstance(service.Service):
 
     def __setup_principal(self):
         assert self.ods_uid is not None
+
+        for f in [paths.IPA_ODS_EXPORTER_CCACHE, paths.IPA_ODS_EXPORTER_KEYTAB]:
+            try:
+                os.remove(f)
+            except OSError:
+                pass
+
         dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dns_exporter_principal)