diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-06-06 10:44:06 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-06-11 14:42:52 +0200 |
commit | 3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6 (patch) | |
tree | 5b44e9b45aa2c3edfd651d9fdd645fe86ef0d33d | |
parent | ee936431c88a7b089c9c2780d63b393813d114e5 (diff) | |
download | freeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.tar.gz freeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.tar.xz freeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.zip |
Clean keytabs before installing new keys into them
In ipa-client-install (which is also called from server/replica
installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be
sure that there aren't any remnants from a previous install of
IPA or another KDC altogether.
https://fedorahosted.org/freeipa/ticket/2698
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afc332a99..79df8972c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1206,6 +1206,21 @@ def install(options, env, fstore, statestore): if not options.unattended and not user_input("Continue to configure the system with these values?", False): return CLIENT_INSTALL_ERROR + if not options.on_master: + # Try removing old principals from the keytab + try: + ipautil.run(['/usr/sbin/ipa-rmkeytab', + '-k', '/etc/krb5.keytab', '-r', cli_realm]) + except CalledProcessError, e: + if e.returncode not in (3, 5): + # 3 - Unable to open keytab + # 5 - Principal name or realm not found in keytab + root_logger.error("Error trying to clean keytab: " + + "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode) + else: + root_logger.info("Removed old keys for realm %s from %s" % ( + cli_realm, '/etc/krb5.keytab')) + if options.hostname and not options.on_master: # configure /etc/sysconfig/network to contain the hostname we set. # skip this step when run by ipa-server-install as it always configures |