adtrustinstance: Properly handle uninstall of AD trust instance

The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
author: Tomas Babej <tbabej@redhat.com> 2013-10-09 13:20:13 +0200
committer: Martin Kosek <mkosek@redhat.com> 2013-10-14 11:11:17 +0200
commit: d769b124b0aa4b58cccbee2dd04c2bb9063fbae7 (patch)
tree: fcb25098fe9302ec3cefe43e98df81ab0d127019 /ipaserver
parent: 45e310ecc45bbf0c4656b3f46ad4aa659af928de (diff)
download: freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.gz
freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.xz
freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.zip
1 files changed, 37 insertions, 14 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 140c8d76..e817197a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,6 +27,7 @@ import struct
 import re
 
 from ipaserver.install import service
+from ipaserver.install import installutils
 from ipaserver.install.dsinstance import realm_to_serverid
 from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
                                            dns_zone_exists
@@ -473,26 +474,31 @@ class ADTRUSTInstance(service.Service):
                     member=[self.cifs_agent],
                 )
                 self.admin_conn.add_entry(entry)
-        except Exception, e:
-            # CIFS principal already exists, it is not the first time adtrustinstance is managed
+        except Exception:
+            # CIFS principal already exists, it is not the first time
+            # adtrustinstance is managed
             # That's fine, we we'll re-extract the key again.
             pass
 
-        samba_keytab = "/etc/samba/samba.keytab"
-        if os.path.exists(samba_keytab):
-            try:
-                ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal,
-                                         "-k", samba_keytab])
-            except ipautil.CalledProcessError, e:
-                if e.returncode != 5:
-                    root_logger.critical("Failed to remove old key for %s" % self.cifs_principal)
+        self.clean_samba_keytab()
 
         try:
             ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
                                           "--principal", self.cifs_principal,
-                                          "-k", samba_keytab])
-        except ipautil.CalledProcessError, e:
-            root_logger.critical("Failed to add key for %s" % self.cifs_principal)
+                                          "-k", self.samba_keytab])
+        except ipautil.CalledProcessError:
+            root_logger.critical("Failed to add key for %s"
+                                 % self.cifs_principal)
+
+    def clean_samba_keytab(self):
+        if os.path.exists(self.samba_keytab):
+            try:
+                ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal,
+                                         "-k", self.samba_keytab])
+            except ipautil.CalledProcessError, e:
+                if e.returncode != 5:
+                    root_logger.critical("Failed to remove old key for %s"
+                                         % self.cifs_principal)
 
     def srv_rec(self, host, port, prio):
         return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
@@ -693,6 +699,7 @@ class ADTRUSTInstance(service.Service):
     def __stop(self):
         self.backup_state("running", self.is_running())
         try:
+            ipaservices.service('winbind').stop()
             self.stop()
         except:
             pass
@@ -750,6 +757,7 @@ class ADTRUSTInstance(service.Service):
                             realm_to_serverid(self.realm)
 
         self.smb_conf = "/etc/samba/smb.conf"
+        self.samba_keytab = "/etc/samba/samba.keytab"
 
         self.smb_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
                          ('cn', 'etc'), self.suffix)
@@ -865,7 +873,6 @@ class ADTRUSTInstance(service.Service):
         # we should not restore smb.conf
 
         # Restore the state of affected selinux booleans
-
         for var in self.selinux_booleans:
             sebool_state = self.restore_state(var)
             if not sebool_state is None:
@@ -875,6 +882,22 @@ class ADTRUSTInstance(service.Service):
                 except:
                     self.print_msg(SELINUX_WARNING % dict(var=var))
 
+        # Remove samba's credentials cache
+        krb5cc_samba = '/var/run/samba/krb5cc_samba'
+        installutils.remove_file(krb5cc_samba)
+
+        # Remove samba's configuration file
+        installutils.remove_file(self.smb_conf)
+
+        # Remove samba's persistent and temporary tdb files
+        tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/")
+                                           if tdb_file.endswith(".tdb")]
+        for tdb_file in tdb_files:
+            installutils.remove_file(tdb_file)
+
+        # Remove our keys from samba's keytab
+        self.clean_samba_keytab()
+
         if not enabled is None and not enabled:
             self.disable()
author	Tomas Babej <tbabej@redhat.com>	2013-10-09 13:20:13 +0200
committer	Martin Kosek <mkosek@redhat.com>	2013-10-14 11:11:17 +0200
commit	d769b124b0aa4b58cccbee2dd04c2bb9063fbae7 (patch)
tree	fcb25098fe9302ec3cefe43e98df81ab0d127019 /ipaserver
parent	45e310ecc45bbf0c4656b3f46ad4aa659af928de (diff)
download	freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.gz freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.xz freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.zip