It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.
Reviewed-By: Martin Basti <>
Reviewed-By: Oleg Fayans <>
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket:
Reviewed-By: Petr Spacek <>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <>
Reviewed-By: Robbie Harwood <>
Reviewed-By: Simo Sorce <>
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
Reviewed-By: Martin Basti <>
OpenDNSSEC stores key metadata in local time zone but BIND needs
timestamps in UTC. UTC will be stored in LDAP.
Reviewed-By: Martin Basti <>
New exporter's command 'ipa-full-update' will resynchronize all zone
keys from ODS database to LDAP.
This command holds database lock for the whole time to avoid race
conditions so it should be used only in special cases, e.g. during
master server migration.
Reviewed-By: Martin Basti <>
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.
Reviewed-By: Martin Basti <>
ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic
'ccache' filename for credential storage, making debugging Kerberos-related
errors unnecessarily complicated. This patch renames the ccache files so that
each of these daemons now has its own credenital cache.
Reviewed-By: Petr Spacek <>
Calls to using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <>
Reviewed-By: Simo Sorce <>
Reviewed-By: Petr Spacek <>