summaryrefslogtreecommitdiffstats
path: root/ipa-server/ipaserver/krbinstance.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-server/ipaserver/krbinstance.py')
-rw-r--r--ipa-server/ipaserver/krbinstance.py44
1 files changed, 37 insertions, 7 deletions
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 18f0db927..4eaa6f413 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -74,7 +74,11 @@ class KrbInstance:
self.suffix = realm_to_suffix(self.realm)
self.kdc_password = generate_kdc_password()
- self.stop()
+ try:
+ self.stop()
+ except:
+ # It could have been not running
+ pass
self.__configure_kdc_account_password()
@@ -94,7 +98,10 @@ class KrbInstance:
self.__add_pwd_extop_module()
- self.start()
+ try:
+ self.start()
+ except:
+ print "krb5kdc service failed to start"
def stop(self):
run(["/sbin/service", "krb5kdc", "stop"])
@@ -127,13 +134,19 @@ class KrbInstance:
#TODO: test that the ldif is ok with any random charcter we may use in the password
kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
kerberos_fd = write_tmp_file(kerberos_txt)
- ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+ try:
+ ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+ except subprocess.CalledProcessError, e:
+ print "Failed to load kerberos.ldif", e
kerberos_fd.close()
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
aci_fd = write_tmp_file(aci_txt)
- ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+ try:
+ ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+ except subprocess.CalledProcessError, e:
+ print "Failed to load default-aci.ldif", e
aci_fd.close()
def __create_instance(self):
@@ -149,20 +162,33 @@ class KrbInstance:
#populate the directory with the realm structure
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
- run(args)
+ try:
+ run(args)
+ except subprocess.CalledProcessError, e:
+ print "Failed to populate the realm structure in kerberos", e
#add the password extop module
def __add_pwd_extop_module(self):
extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
extop_fd = write_tmp_file(extop_txt)
- ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+ try:
+ ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+ except subprocess.CalledProcessError, e:
+ print "Failed to load pwd-extop-conf.ldif", e
extop_fd.close()
#add an ACL to let the DS user read the master key
args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
- run(args)
+ try:
+ run(args)
+ except subprocess.CalledProcessError, e:
+ print "Failed to set the ACL on the master key", e
def __create_ds_keytab(self):
+ try:
+ os.remove("/etc/dirsrv/ds.keytab")
+ except os.OSError:
+ print "Failed to remove /etc/dirsrv/ds.keytab."
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
kwrite.flush()
@@ -218,6 +244,10 @@ class KrbInstance:
os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid)
def __create_http_keytab(self):
+ try:
+ os.remove("/etc/httpd/conf/ipa.keytab")
+ except os.OSError:
+ print "Failed to remove /etc/httpd/conf/ipa.keytab."
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
kwrite.flush()
generated by cgit (git 2.34.1) at 2024-06-23 03:46:54 +0000