From 27691b9e1c23d15362d943f04912343df3a29718 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 9 Apr 2008 16:57:41 -0400 Subject: Use the same kpasswd.keytab on all replicas. If we generate a new keytab for each replica then effectively password changes can only occur on the last replica created. 439905 --- ipa-server/ipa-install/ipa-replica-install | 4 +++- ipa-server/ipa-install/ipa-replica-prepare | 2 ++ ipa-server/ipaserver/krbinstance.py | 9 +++++++-- 3 files changed, 12 insertions(+), 3 deletions(-) (limited to 'ipa-server') diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install index 674859951..551b468a6 100644 --- a/ipa-server/ipa-install/ipa-replica-install +++ b/ipa-server/ipa-install/ipa-replica-install @@ -109,8 +109,10 @@ def install_ds(config): def install_krb(config): krb = krbinstance.KrbInstance() ldappwd_filename = config.dir + "/ldappwd" + kpasswd_filename = config.dir + "/kpasswd.keytab" krb.create_replica(config.ds_user, config.realm_name, config.host_name, - config.domain_name, config.dirman_password, ldappwd_filename) + config.domain_name, config.dirman_password, + ldappwd_filename, kpasswd_filename) def install_http(config): # if we have a pkcs12 file, create the cert db from diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare index 7c49f82af..dbcb75543 100644 --- a/ipa-server/ipa-install/ipa-replica-prepare +++ b/ipa-server/ipa-install/ipa-replica-prepare @@ -143,6 +143,7 @@ def copy_files(realm_name, dir): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) try: shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") + shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") shutil.copy(config_dir + "/cacert.asc", dir + "/ca.crt") @@ -190,6 +191,7 @@ def main(): print "Packaging the replica into /var/lib/ipa/%s" % "replica-info-" + replica_fqdn ipautil.run(["/bin/tar", "cfz", "/var/lib/ipa/replica-info-" + replica_fqdn, "-C", top_dir, "realm_info"]) + os.chmod("/var/lib/ipa/replica-info-" + replica_fqdn, 0600) shutil.rmtree(dir) diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 414568846..949e30bc5 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -147,8 +147,9 @@ class KrbInstance(service.Service): self.kpasswd.create_instance() - def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename): + def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename): self.__copy_ldap_passwd(ldap_passwd_filename) + self.__copy_kpasswd_keytab(kpasswd_filename) self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password) @@ -157,7 +158,6 @@ class KrbInstance(service.Service): self.step("configuring KDC", self.__create_replica_instance) self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) - self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab) self.__common_post_setup() @@ -170,6 +170,11 @@ class KrbInstance(service.Service): shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd") os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600) + def __copy_kpasswd_keytab(self, filename): + self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab") + shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab") + os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600) + def __configure_kdc_account_password(self): hexpwd = '' -- cgit