summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-06-06 10:44:06 -0400
committerMartin Kosek <mkosek@redhat.com>2012-06-11 14:42:52 +0200
commit3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6 (patch)
tree5b44e9b45aa2c3edfd651d9fdd645fe86ef0d33d
parentee936431c88a7b089c9c2780d63b393813d114e5 (diff)
downloadfreeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.zip
freeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.tar.gz
freeipa-3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6.tar.xz
Clean keytabs before installing new keys into them
In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698
-rwxr-xr-xipa-client/ipa-install/ipa-client-install15
1 files changed, 15 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afc332a..79df897 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1206,6 +1206,21 @@ def install(options, env, fstore, statestore):
if not options.unattended and not user_input("Continue to configure the system with these values?", False):
return CLIENT_INSTALL_ERROR
+ if not options.on_master:
+ # Try removing old principals from the keytab
+ try:
+ ipautil.run(['/usr/sbin/ipa-rmkeytab',
+ '-k', '/etc/krb5.keytab', '-r', cli_realm])
+ except CalledProcessError, e:
+ if e.returncode not in (3, 5):
+ # 3 - Unable to open keytab
+ # 5 - Principal name or realm not found in keytab
+ root_logger.error("Error trying to clean keytab: " +
+ "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode)
+ else:
+ root_logger.info("Removed old keys for realm %s from %s" % (
+ cli_realm, '/etc/krb5.keytab'))
+
if options.hostname and not options.on_master:
# configure /etc/sysconfig/network to contain the hostname we set.
# skip this step when run by ipa-server-install as it always configures