Don't allow the IPA server service principals to be removed.

440282

2 files changed, 8 insertions, 0 deletions

diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index 4f641f98..925f510f 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -178,6 +178,11 @@ INPUT_ADMIN_REQUIRED_IN_ADMINS = gen_error_code(
         0x0009,
         "The admin user cannot be removed from the admins group.")
 
+INPUT_SERVICE_PRINCIPAL_REQUIRED = gen_error_code(
+        INPUT_CATEGORY,
+        0x000A,
+        "You cannot remove IPA server service principals.")
+
 #
 # Connection errors
 #
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 74a3030c..d83fed09 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1974,6 +1974,9 @@ class IPAServer:
         entry = self.get_entry_by_dn(principal, ['dn', 'objectclass'], opts)
         if entry is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+        dn_list = ldap.explode_dn(entry['dn'].lower())
+        if "cn=kerberos" in dn_list:
+            raise ipaerror.gen_exception(ipaerror.INPUT_SERVICE_PRINCIPAL_REQUIRED)
 
         conn = self.getConnection(opts)
         try: