diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2015-08-18 18:33:37 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-08-18 21:11:58 +0200 |
| commit | a9f010fc286bee163601cbf0b512c6170501a1e9 (patch) | |
| tree | 5691afb7b395238a796a81a33683bc1af5b4235e | |
| parent | 9ca156c85919108d0c13718384dc196075364398 (diff) | |
| download | freeipa-a9f010fc286bee163601cbf0b512c6170501a1e9.tar.gz freeipa-a9f010fc286bee163601cbf0b512c6170501a1e9.tar.xz freeipa-a9f010fc286bee163601cbf0b512c6170501a1e9.zip | |
improve the handling of krb5-related errors in dnssec daemons
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
https://fedorahosted.org/freeipa/ticket/5229
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rwxr-xr-x | daemons/dnssec/ipa-dnskeysync-replica | 10 | ||||
| -rwxr-xr-x | daemons/dnssec/ipa-dnskeysyncd | 4 | ||||
| -rwxr-xr-x | daemons/dnssec/ipa-ods-exporter | 10 |
3 files changed, 20 insertions, 4 deletions
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 551c2f21d..b80b38962 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -12,6 +12,7 @@ from binascii import hexlify from datetime import datetime import dns.dnssec import fcntl +from krbV import Krb5Error import logging import os from pprint import pprint @@ -141,7 +142,14 @@ log.setLevel(level=logging.DEBUG) PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache') -ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename) + +try: + ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, + ccache_filename, attempts=5) +except Krb5Error as e: + log.critical('Kerberos authentication failed: %s', e) + sys.exit(1) + os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index a0fcf8b4b..660e34b45 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -66,9 +66,9 @@ PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache') try: - ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename) + ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5) except Exception as ex: - log.critical(ex) + log.critical("Kerberos authentication failed: %s", ex) # signal failure and let init system to restart the daemon sys.exit(1) os.environ['KRB5CCNAME'] = ccache_filename diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 4c6649c2f..4d5423797 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -20,6 +20,7 @@ from datetime import datetime import dateutil.tz import dns.dnssec import fcntl +from krbV import Krb5Error import logging import os import subprocess @@ -482,7 +483,14 @@ ipalib.api.finalize() PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache') -ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name) + +try: + ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name, + attempts=5) +except Krb5Error as e: + log.critical('Kerberos authentication failed: %s', e) + sys.exit(1) + os.environ['KRB5CCNAME'] = ccache_name log.debug('Got TGT') |