diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-10-09 13:20:13 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-10-14 11:11:17 +0200 |
commit | d769b124b0aa4b58cccbee2dd04c2bb9063fbae7 (patch) | |
tree | fcb25098fe9302ec3cefe43e98df81ab0d127019 | |
parent | 45e310ecc45bbf0c4656b3f46ad4aa659af928de (diff) | |
download | freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.gz freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.tar.xz freeipa-d769b124b0aa4b58cccbee2dd04c2bb9063fbae7.zip |
adtrustinstance: Properly handle uninstall of AD trust instance
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
-rwxr-xr-x | install/tools/ipa-adtrust-install | 5 | ||||
-rw-r--r-- | install/tools/ipa-server-install | 2 | ||||
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 51 |
3 files changed, 42 insertions, 16 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index badb483ad..fe86a9464 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -276,8 +276,9 @@ def main(): sys.exit("Aborting installation.") elif os.path.exists('/etc/samba/smb.conf'): - print("WARNING: The smb.conf already exists. Running ipa-adtrust-install - "will break your existing samba configuration.\n\n") + print("WARNING: The smb.conf already exists. Running " + "ipa-adtrust-install will break your existing samba " + "configuration.\n\n") if not options.unattended: if not ipautil.user_input("Do you wish to continue?", default = False, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b871ef3f2..cf769f557 100644 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -40,6 +40,7 @@ import pwd import textwrap from optparse import OptionGroup, OptionValueError +from ipaserver.install import adtrustinstance from ipaserver.install import dsinstance from ipaserver.install import krbinstance from ipaserver.install import bindinstance @@ -492,6 +493,7 @@ def uninstall(): httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() + adtrustinstance.ADTRUSTInstance(fstore).uninstall() memcacheinstance.MemcacheInstance().uninstall() otpdinstance.OtpdInstance().uninstall() ipaservices.restore_network_configuration(fstore, sstore) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 140c8d769..e817197a1 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -27,6 +27,7 @@ import struct import re from ipaserver.install import service +from ipaserver.install import installutils from ipaserver.install.dsinstance import realm_to_serverid from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ dns_zone_exists @@ -473,26 +474,31 @@ class ADTRUSTInstance(service.Service): member=[self.cifs_agent], ) self.admin_conn.add_entry(entry) - except Exception, e: - # CIFS principal already exists, it is not the first time adtrustinstance is managed + except Exception: + # CIFS principal already exists, it is not the first time + # adtrustinstance is managed # That's fine, we we'll re-extract the key again. pass - samba_keytab = "/etc/samba/samba.keytab" - if os.path.exists(samba_keytab): - try: - ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal, - "-k", samba_keytab]) - except ipautil.CalledProcessError, e: - if e.returncode != 5: - root_logger.critical("Failed to remove old key for %s" % self.cifs_principal) + self.clean_samba_keytab() try: ipautil.run(["ipa-getkeytab", "--server", self.fqdn, "--principal", self.cifs_principal, - "-k", samba_keytab]) - except ipautil.CalledProcessError, e: - root_logger.critical("Failed to add key for %s" % self.cifs_principal) + "-k", self.samba_keytab]) + except ipautil.CalledProcessError: + root_logger.critical("Failed to add key for %s" + % self.cifs_principal) + + def clean_samba_keytab(self): + if os.path.exists(self.samba_keytab): + try: + ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal, + "-k", self.samba_keytab]) + except ipautil.CalledProcessError, e: + if e.returncode != 5: + root_logger.critical("Failed to remove old key for %s" + % self.cifs_principal) def srv_rec(self, host, port, prio): return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port) @@ -693,6 +699,7 @@ class ADTRUSTInstance(service.Service): def __stop(self): self.backup_state("running", self.is_running()) try: + ipaservices.service('winbind').stop() self.stop() except: pass @@ -750,6 +757,7 @@ class ADTRUSTInstance(service.Service): realm_to_serverid(self.realm) self.smb_conf = "/etc/samba/smb.conf" + self.samba_keytab = "/etc/samba/samba.keytab" self.smb_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), self.suffix) @@ -865,7 +873,6 @@ class ADTRUSTInstance(service.Service): # we should not restore smb.conf # Restore the state of affected selinux booleans - for var in self.selinux_booleans: sebool_state = self.restore_state(var) if not sebool_state is None: @@ -875,6 +882,22 @@ class ADTRUSTInstance(service.Service): except: self.print_msg(SELINUX_WARNING % dict(var=var)) + # Remove samba's credentials cache + krb5cc_samba = '/var/run/samba/krb5cc_samba' + installutils.remove_file(krb5cc_samba) + + # Remove samba's configuration file + installutils.remove_file(self.smb_conf) + + # Remove samba's persistent and temporary tdb files + tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/") + if tdb_file.endswith(".tdb")] + for tdb_file in tdb_files: + installutils.remove_file(tdb_file) + + # Remove our keys from samba's keytab + self.clean_samba_keytab() + if not enabled is None and not enabled: self.disable() |