From 42f4b72c16252cb2439d1132a25f85ca1a44bd15 Mon Sep 17 00:00:00 2001 From: Mark McLoughlin Date: Tue, 18 Dec 2007 18:03:34 +0000 Subject: Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin --- ipa-server/ipaserver/httpinstance.py | 26 ++---------- ipa-server/ipaserver/installutils.py | 35 ++++++++++++++++ ipa-server/ipaserver/krbinstance.py | 81 ++++-------------------------------- 3 files changed, 47 insertions(+), 95 deletions(-) diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py index d0329ccad..4f8946b45 100644 --- a/ipa-server/ipaserver/httpinstance.py +++ b/ipa-server/ipaserver/httpinstance.py @@ -26,7 +26,6 @@ import logging import pwd import fileinput import sys -import time import shutil import service @@ -88,28 +87,9 @@ class HTTPInstance(service.Service): self.print_msg(selinux_warning) def __create_http_keytab(self): - try: - if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"): - os.remove("/etc/httpd/conf/ipa.keytab") - except os.error: - print "Failed to remove /etc/httpd/conf/ipa.keytab." - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - # give kadmin time to actually write the file before we go on - retry = 0 - while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"): - time.sleep(1) - retry += 1 - if retry > 15: - print "Error timed out waiting for kadmin to finish operations\n" - sys.exit(1) + http_principal = "HTTP/" + self.fqdn + "@" + self.realm + installutils.kadmin_addprinc(http_principal) + installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal) pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/ipaserver/installutils.py b/ipa-server/ipaserver/installutils.py index 25cd1555c..db3f6a6f8 100644 --- a/ipa-server/ipaserver/installutils.py +++ b/ipa-server/ipaserver/installutils.py @@ -25,6 +25,9 @@ import os import re import fileinput import sys +import time + +from ipa import ipautil def get_fqdn(): fqdn = "" @@ -124,4 +127,36 @@ def update_file(filename, orig, subst): print "File %s doesn't exist." % filename return 1 +def kadmin(command): + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + + kwrite.write(command) + kwrite.write("\n") + kwrite.flush() + + for k in (kwrite, kread, kerr): + k.close() + +def kadmin_addprinc(principal): + kadmin("addprinc -randkey " + principal) + +def kadmin_modprinc(principal, options): + kadmin("modprinc " + options + " " + principal) + +def create_keytab(path, principal): + try: + if ipautil.file_exists(path): + os.remove(path) + except os.error: + logging.critical("Failed to remove %s." % path) + + kadmin("ktadd -k " + path + " " + principal) + # give kadmin time to actually write the file before we go on + retry = 0 + while not ipautil.file_exists(path): + time.sleep(1) + retry += 1 + if retry > 15: + logging.critical("Error timed out waiting for kadmin to finish operations") + sys.exit(1) diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 2f4454bad..5c4976b72 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -29,10 +29,10 @@ import sys import os import pwd import socket -import time import shutil import service +import installutils from ipa import ipautil from ipa import ipaerror @@ -345,89 +345,26 @@ class KrbInstance(service.Service): raise e def __create_ds_keytab(self): - try: - if ipautil.file_exists("/etc/dirsrv/ds.keytab"): - os.remove("/etc/dirsrv/ds.keytab") - except os.error: - logging.critical("Failed to remove /etc/dirsrv/ds.keytab.") - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/dirsrv/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - # give kadmin time to actually write the file before we go on - retry = 0 - while not ipautil.file_exists("/etc/dirsrv/ds.keytab"): - time.sleep(1) - retry += 1 - if retry > 15: - logging.critical("Error timed out waiting for kadmin to finish operations") - sys.exit(1) + ldap_principal = "ldap/" + self.fqdn + "@" + self.realm + installutils.kadmin_addprinc(ldap_principal) + installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal) update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") pent = pwd.getpwnam(self.ds_user) os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) def __create_host_keytab(self): - try: - if ipautil.file_exists("/etc/krb5.keytab"): - os.remove("/etc/krb5.keytab") - except os.error: - logging.critical("Failed to remove /etc/krb5.keytab.") - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey host/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/krb5.keytab host/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - # give kadmin time to actually write the file before we go on - retry = 0 - while not ipautil.file_exists("/etc/krb5.keytab"): - time.sleep(1) - retry += 1 - if retry > 15: - logging.critical("Error timed out waiting for kadmin to finish operations") - sys.exit(1) + host_principal = "host/" + self.fqdn + "@" + self.realm + installutils.kadmin_addprinc(host_principal) + installutils.create_keytab("/etc/krb5.keytab", host_principal) # Make sure access is strictly reserved to root only for now os.chown("/etc/krb5.keytab", 0, 0) os.chmod("/etc/krb5.keytab", 0600) def __export_kadmin_changepw_keytab(self): - try: - if ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): - os.remove("/var/kerberos/krb5kdc/kpasswd.keytab") - except os.error: - logging.critical("Failed to remove /var/kerberos/krb5kdc/kpasswd.keytab.") - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("modprinc +requires_preauth kadmin/changepw\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("ktadd -k /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - # give kadmin time to actually write the file before we go on - retry = 0 - while not ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): - time.sleep(1) - retry += 1 - if retry > 15: - logging.critical("Error timed out waiting for kadmin to finish operations") - sys.exit(1) + installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth") + installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw") update_key_val_in_file("/etc/sysconfig/ipa-kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab") pent = pwd.getpwnam(self.ds_user) -- cgit