diff options
Diffstat (limited to 'ipa-server/ipaserver/krbinstance.py')
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 80 |
1 files changed, 29 insertions, 51 deletions
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index e17a3274d..c4ebde50c 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -32,6 +32,8 @@ import os import pwd import socket import time + +import service from ipa.ipautil import * def host_to_domain(fqdn): @@ -63,8 +65,9 @@ def update_key_val_in_file(filename, key, val): f.write("%s=%s\n" % (key, val)) f.close() -class KrbInstance: +class KrbInstance(service.Service): def __init__(self): + service.Service.__init__(self, "krb5kdc") self.ds_user = None self.fqdn = None self.realm = None @@ -95,39 +98,41 @@ class KrbInstance: # It could have been not running pass + self.start_creation(10, "Configuring Kerberos KDC") + self.__configure_kdc_account_password() self.__setup_sub_dict() self.__configure_ldap() - self.__configure_http() - self.__create_instance() self.__create_ds_keytab() - self.__create_http_keytab() - self.__export_kadmin_changepw_keytab() self.__add_pwd_extop_module() try: + self.step("starting the KDC") self.start() except: - print "krb5kdc service failed to start" + logging.critical("krb5kdc service failed to start") + + self.step("configuring KDC to start on boot") + self.chkconfig_on() - def stop(self): - run(["/sbin/service", "krb5kdc", "stop"]) + self.step("configuring ipa-kpasswd to start on boot") + service.chkconfig_on("ipa-kpasswd") - def start(self): - run(["/sbin/service", "krb5kdc", "start"]) + self.step("starting ipa-kpasswd") + service.start("ipa-kpasswd") - def restart(self): - run(["/sbin/service", "krb5kdc", "restart"]) + self.done_creation() def __configure_kdc_account_password(self): + self.step("setting KDC account password") hexpwd = '' for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) @@ -145,14 +150,14 @@ class KrbInstance: REALM=self.realm) def __configure_ldap(self): - + self.step("adding kerberos configuration to the directory") #TODO: test that the ldif is ok with any random charcter we may use in the password kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) kerberos_fd = write_tmp_file(kerberos_txt) try: ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) except subprocess.CalledProcessError, e: - print "Failed to load kerberos.ldif", e + logging.critical("Failed to load kerberos.ldif: %s" % str(e)) kerberos_fd.close() #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes @@ -161,10 +166,11 @@ class KrbInstance: try: ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) except subprocess.CalledProcessError, e: - print "Failed to load default-aci.ldif", e + logging.critical("Failed to load default-aci.ldif: %s" % str(e)) aci_fd.close() def __create_instance(self): + self.step("configuring KDC") kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") kdc_fd.write(kdc_conf) @@ -200,12 +206,13 @@ class KrbInstance: #add the password extop module def __add_pwd_extop_module(self): + self.step("adding the password extenstion to the directory") extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict) extop_fd = write_tmp_file(extop_txt) try: ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) except subprocess.CalledProcessError, e: - print "Failed to load pwd-extop-conf.ldif", e + logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e)) extop_fd.close() #add an ACL to let the DS user read the master key @@ -213,14 +220,15 @@ class KrbInstance: try: run(args) except subprocess.CalledProcessError, e: - print "Failed to set the ACL on the master key", e + logging.critical("Failed to set the ACL on the master key: %s" % str(e)) def __create_ds_keytab(self): + self.step("creating a keytab for the directory") try: if file_exists("/etc/dirsrv/ds.keytab"): os.remove("/etc/dirsrv/ds.keytab") except os.error: - print "Failed to remove /etc/dirsrv/ds.keytab." + logging.critical("Failed to remove /etc/dirsrv/ds.keytab.") (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") kwrite.flush() @@ -236,7 +244,7 @@ class KrbInstance: time.sleep(1) retry += 1 if retry > 15: - print "Error timed out waiting for kadmin to finish operations\n" + logging.critical("Error timed out waiting for kadmin to finish operations") sys.exit(1) update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") @@ -244,6 +252,7 @@ class KrbInstance: os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) def __export_kadmin_changepw_keytab(self): + self.step("exporting the kadmin keytab") (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("modprinc +requires_preauth kadmin/changepw\n") kwrite.flush() @@ -264,42 +273,11 @@ class KrbInstance: time.sleep(1) retry += 1 if retry > 15: - print "Error timed out waiting for kadmin to finish operations\n" + logging.critical("Error timed out waiting for kadmin to finish operations") sys.exit(1) update_key_val_in_file("/etc/sysconfig/ipa-kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab") pent = pwd.getpwnam(self.ds_user) os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid) - def __create_http_keytab(self): - try: - if file_exists("/etc/httpd/conf/ipa.keytab"): - os.remove("/etc/httpd/conf/ipa.keytab") - except os.error: - print "Failed to remove /etc/httpd/conf/ipa.keytab." - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - # give kadmin time to actually write the file before we go on - retry = 0 - while not file_exists("/etc/httpd/conf/ipa.keytab"): - time.sleep(1) - retry += 1 - if retry > 15: - print "Error timed out waiting for kadmin to finish operations\n" - sys.exit(1) - - pent = pwd.getpwnam("apache") - os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) - def __configure_http(self): - http_txt = template_file(SHARE_DIR + "ipa.conf", self.sub_dict) - http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") - http_fd.write(http_txt) - http_fd.close() |