diff options
Diffstat (limited to 'ipa-server/ipaserver/krbinstance.py')
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 44 |
1 files changed, 37 insertions, 7 deletions
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 18f0db927..4eaa6f413 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -74,7 +74,11 @@ class KrbInstance: self.suffix = realm_to_suffix(self.realm) self.kdc_password = generate_kdc_password() - self.stop() + try: + self.stop() + except: + # It could have been not running + pass self.__configure_kdc_account_password() @@ -94,7 +98,10 @@ class KrbInstance: self.__add_pwd_extop_module() - self.start() + try: + self.start() + except: + print "krb5kdc service failed to start" def stop(self): run(["/sbin/service", "krb5kdc", "stop"]) @@ -127,13 +134,19 @@ class KrbInstance: #TODO: test that the ldif is ok with any random charcter we may use in the password kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) kerberos_fd = write_tmp_file(kerberos_txt) - ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + try: + ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + except subprocess.CalledProcessError, e: + print "Failed to load kerberos.ldif", e kerberos_fd.close() #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) aci_fd = write_tmp_file(aci_txt) - ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + try: + ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + except subprocess.CalledProcessError, e: + print "Failed to load default-aci.ldif", e aci_fd.close() def __create_instance(self): @@ -149,20 +162,33 @@ class KrbInstance: #populate the directory with the realm structure args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] - run(args) + try: + run(args) + except subprocess.CalledProcessError, e: + print "Failed to populate the realm structure in kerberos", e #add the password extop module def __add_pwd_extop_module(self): extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict) extop_fd = write_tmp_file(extop_txt) - ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) + try: + ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) + except subprocess.CalledProcessError, e: + print "Failed to load pwd-extop-conf.ldif", e extop_fd.close() #add an ACL to let the DS user read the master key args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] - run(args) + try: + run(args) + except subprocess.CalledProcessError, e: + print "Failed to set the ACL on the master key", e def __create_ds_keytab(self): + try: + os.remove("/etc/dirsrv/ds.keytab") + except os.OSError: + print "Failed to remove /etc/dirsrv/ds.keytab." (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") kwrite.flush() @@ -218,6 +244,10 @@ class KrbInstance: os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid) def __create_http_keytab(self): + try: + os.remove("/etc/httpd/conf/ipa.keytab") + except os.OSError: + print "Failed to remove /etc/httpd/conf/ipa.keytab." (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") kwrite.flush() |