Try to catch more error conditions during installation

Modify the way we detect SELinux to use selinuxenabled instead of using
  a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection

6 files changed, 124 insertions, 44 deletions

diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index 67bd96dc3..9e9a74140 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -144,3 +144,8 @@ CONNECTION_NO_CCACHE = gen_error_code(
         CONNECTION_CATEGORY,
         0x0002,
         "No Kerberos credentials cache is available. Connection cannot be made.")
+
+CONNECTION_GSSAPI_CREDENTIALS = gen_error_code(
+        CONNECTION_CATEGORY,
+        0x0003,
+        "GSSAPI Authorization error")
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index fd2071ad8..0c2080187 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -34,6 +34,7 @@ import socket
 import logging
 import pwd
 import getpass
+import subprocess
 import signal
 import shutil
 import glob
@@ -430,36 +431,46 @@ def main():
     ds.restart()
     krb.restart()
 
-    # Allow apache to connect to the turbogears web gui
     try:
-        run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
-    except:
-        # SELinux may be disabled
-        pass
+        selinux=0
+        try:
+            if (os.path.exists('/usr/sbin/selinuxenabled')):
+                run(["/usr/sbin/selinuxenabled"])
+                selinux=1
+        except subprocess.CalledProcessError, e:
+            # selinuxenabled returns 1 if not enabled
+            pass
+
+        if selinux:
+            # Allow apache to connect to the turbogears web gui
+            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
 
-    # Start the web gui
-    run(["/sbin/service", "ipa-webgui", "start"])
+        # Start the web gui
+        run(["/sbin/service", "ipa-webgui", "start"])
 
-    # Set the web gui to start on boot
-    run(["/sbin/chkconfig", "ipa-webgui", "on"])
+        # Set the web gui to start on boot
+        run(["/sbin/chkconfig", "ipa-webgui", "on"])
 
-    # Restart apache
-    run(["/sbin/service", "httpd", "restart"])
+        # Restart apache
+        run(["/sbin/service", "httpd", "restart"])
 
-    # Set apache to start on boot
-    run(["/sbin/chkconfig", "httpd", "on"])
+        # Set apache to start on boot
+        run(["/sbin/chkconfig", "httpd", "on"])
 
-    # Set fedora-ds to start on boot
-    run(["/sbin/chkconfig", "dirsrv", "on"])
+        # Set fedora-ds to start on boot
+        run(["/sbin/chkconfig", "dirsrv", "on"])
 
-    # Set the KDC to start on boot
-    run(["/sbin/chkconfig", "krb5kdc", "on"])
+        # Set the KDC to start on boot
+        run(["/sbin/chkconfig", "krb5kdc", "on"])
 
-    # Set the Kpasswd to start on boot
-    run(["/sbin/chkconfig", "ipa-kpasswd", "on"])
+        # Set the Kpasswd to start on boot
+        run(["/sbin/chkconfig", "ipa-kpasswd", "on"])
 
-    # Start Kpasswd
-    run(["/sbin/service", "ipa-kpasswd", "start"])
+        # Start Kpasswd
+        run(["/sbin/service", "ipa-kpasswd", "start"])
+    except subprocess.CalledProcessError, e:
+        print "Installation failed:", e
+        return 1
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
diff --git a/ipa-server/ipaserver/bindinstance.py b/ipa-server/ipaserver/bindinstance.py
index 708cc9337..8a131fe79 100644
--- a/ipa-server/ipaserver/bindinstance.py
+++ b/ipa-server/ipaserver/bindinstance.py
@@ -68,7 +68,10 @@ class BindInstance:
         self.__setup_zone()
         self.__setup_named_conf()
 
-        self.start()
+        try:
+            self.start()
+        except:
+            print "named service failed to start"
 
     def stop(self):
         run(["/sbin/service", "named", "stop"])
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index bb1f021a3..5c59cfa77 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -91,7 +91,11 @@ class DsInstance:
         self.__add_default_schemas()
         self.__enable_ssl()
         self.__certmap_conf()
-        self.restart()
+        try:
+            self.restart()
+        except:
+            # TODO: roll back here?
+            print "Failed to restart the ds instance"
         self.__add_default_layout()
         self.__create_test_users()
 
@@ -126,8 +130,12 @@ class DsInstance:
 	except KeyError:
             logging.debug("adding ds user %s" % self.ds_user)
             args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
-            run(args)
-            logging.debug("done adding user")
+            try:
+                run(args)
+                logging.debug("done adding user")
+            except subprocess.CalledProcessError, e:
+                print "Failed to add user", e
+                logging.debug("failed to add user %s" % e)
 
     def __create_instance(self):
         logging.debug("creating ds instance . . . ")
@@ -141,11 +149,19 @@ class DsInstance:
         else:
             args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
             logging.debug("calling ds_newinst.pl")
-        run(args)
-        logging.debug("completed creating ds instance")
+        try:
+            run(args)
+            logging.debug("completed creating ds instance")
+        except subprocess.CalledProcessError, e:
+            print "failed to restart ds instance", e
+            logging.debug("failed to restart ds instance %s" % e)
         logging.debug("restarting ds instance")
-        self.restart()
-        logging.debug("done restarting ds instance")
+        try:
+            self.restart()
+            logging.debug("done restarting ds instance")
+        except subprocess.CalledProcessError, e:
+            print "failed to restart ds instance", e
+            logging.debug("failed to restart ds instance %s" % e)
 
     def __add_default_schemas(self):
         shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
@@ -158,8 +174,12 @@ class DsInstance:
         dirname = self.config_dirname()
         args = ["/usr/share/ipa/ipa-server-setupssl", self.dm_password,
                 dirname, self.host_name]
-        run(args)
-        logging.debug("done configuring ssl for ds instance")
+        try:
+            run(args)
+            logging.debug("done configuring ssl for ds instance")
+        except subprocess.CalledProcessError, e:
+            print "Failed to enable ssl in ds instance", e
+            logging.debug("Failed to configure ssl in ds instance %s" % e)
         
     def __add_default_layout(self):
         txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
@@ -167,8 +187,12 @@ class DsInstance:
         logging.debug("adding default ds layout")
         args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
                 "-w", self.dm_password, "-f", inf_fd.name]
-        run(args)
-        logging.debug("done adding default ds layout")
+        try:
+            run(args)
+            logging.debug("done adding default ds layout")
+        except subprocess.CalledProcessError, e:
+            print "Failed to add default ds layout", e
+            logging.debug("Failed to add default ds layout %s" % e)
         
     def __create_test_users(self):
         logging.debug("create test users ldif")
@@ -194,6 +218,10 @@ class DsInstance:
                 "-D", "cn=Directory Manager", "-w", self.dm_password,
                 "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
                 "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
-        run(args)
-        logging.debug("ldappasswd done")
+        try:
+            run(args)
+            logging.debug("ldappasswd done")
+        except subprocess.CalledProcessError, e:
+            print "Unable to set admin password", e
+            logging.debug("Unable to set admin password %s" % e)
 
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 18f0db927..4eaa6f413 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -74,7 +74,11 @@ class KrbInstance:
 	self.suffix = realm_to_suffix(self.realm)
         self.kdc_password = generate_kdc_password()
 
-        self.stop()
+        try:
+            self.stop()
+        except:
+            # It could have been not running
+            pass
 
 	self.__configure_kdc_account_password()
 
@@ -94,7 +98,10 @@ class KrbInstance:
 
         self.__add_pwd_extop_module()
 
-        self.start()
+        try:
+            self.start()
+        except:
+            print "krb5kdc service failed to start"
 
     def stop(self):
         run(["/sbin/service", "krb5kdc", "stop"])
@@ -127,13 +134,19 @@ class KrbInstance:
 	#TODO: test that the ldif is ok with any random charcter we may use in the password
         kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
         kerberos_fd = write_tmp_file(kerberos_txt)
-        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load kerberos.ldif", e
         kerberos_fd.close()
 
 	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
         aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
         aci_fd = write_tmp_file(aci_txt) 
-        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load default-aci.ldif", e
         aci_fd.close()
 
     def __create_instance(self):
@@ -149,20 +162,33 @@ class KrbInstance:
 
         #populate the directory with the realm structure
         args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
-        run(args)
+        try:
+            run(args)
+        except subprocess.CalledProcessError, e:
+            print "Failed to populate the realm structure in kerberos", e
 
     #add the password extop module
     def __add_pwd_extop_module(self):
         extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
         extop_fd = write_tmp_file(extop_txt)
-        ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+        try:
+            ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+        except subprocess.CalledProcessError, e:
+            print "Failed to load pwd-extop-conf.ldif", e
         extop_fd.close()
 
         #add an ACL to let the DS user read the master key
         args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
-        run(args)
+        try:
+            run(args)
+        except subprocess.CalledProcessError, e:
+            print "Failed to set the ACL on the master key", e
 
     def __create_ds_keytab(self):
+        try:
+            os.remove("/etc/dirsrv/ds.keytab")
+        except os.OSError:
+            print "Failed to remove /etc/dirsrv/ds.keytab."
         (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
         kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
         kwrite.flush()
@@ -218,6 +244,10 @@ class KrbInstance:
         os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid)
 
     def __create_http_keytab(self):
+        try:
+            os.remove("/etc/httpd/conf/ipa.keytab")
+        except os.OSError:
+            print "Failed to remove /etc/httpd/conf/ipa.keytab."
         (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
         kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
         kwrite.flush()
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 0f4850e9e..bf2cde4f4 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -69,7 +69,7 @@ class IPAConnPool:
         if conn is None:
             return
         # We can't re-use SASL connections. If proxydn is None it means
-        # we have a Kerberos credentails cache set. See ipaldap.set_krbccache
+        # we have a Kerberos credentials cache set. See ipaldap.set_krbccache
         if conn.proxydn is None:
             conn.unbind_s()
         else:
@@ -168,7 +168,10 @@ class IPAServer:
         else:
             raise ipaerror.gen_exception(ipaerror.CONNECTION_NO_CCACHE)
 
-        conn = _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache,debug)
+        try:
+            conn = _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache,debug)
+        except ldap.INVALID_CREDENTIALS, e:
+            raise ipaerror.gen_exception(ipaerror.CONNECTION_GSSAPI_CREDENTIALS, nested_exception=e)
 
         if conn is None:
             raise ipaerror.gen_exception(ipaerror.CONNECTION_NO_CONN)