From 3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 6 Jun 2012 10:44:06 -0400 Subject: Clean keytabs before installing new keys into them In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698 --- ipa-client/ipa-install/ipa-client-install | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afc332a99..79df8972c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1206,6 +1206,21 @@ def install(options, env, fstore, statestore): if not options.unattended and not user_input("Continue to configure the system with these values?", False): return CLIENT_INSTALL_ERROR + if not options.on_master: + # Try removing old principals from the keytab + try: + ipautil.run(['/usr/sbin/ipa-rmkeytab', + '-k', '/etc/krb5.keytab', '-r', cli_realm]) + except CalledProcessError, e: + if e.returncode not in (3, 5): + # 3 - Unable to open keytab + # 5 - Principal name or realm not found in keytab + root_logger.error("Error trying to clean keytab: " + + "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode) + else: + root_logger.info("Removed old keys for realm %s from %s" % ( + cli_realm, '/etc/krb5.keytab')) + if options.hostname and not options.on_master: # configure /etc/sysconfig/network to contain the hostname we set. # skip this step when run by ipa-server-install as it always configures -- cgit