diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-10-01 13:05:11 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-10-03 19:22:11 +0200 |
| commit | b2b36db1ebe3e24505154c7027ec221a986b360a (patch) | |
| tree | 518fe7bbf2c17beddb2ed83e837368123cbb1972 /ipa-client | |
| parent | 8201ffe5fd7246b61546c2cc9334fb754aefe3fa (diff) | |
| download | freeipa.git-b2b36db1ebe3e24505154c7027ec221a986b360a.tar.gz freeipa.git-b2b36db1ebe3e24505154c7027ec221a986b360a.tar.xz freeipa.git-b2b36db1ebe3e24505154c7027ec221a986b360a.zip | |
Clear kernel keyring in client installer, save dbdir on new connections
This patch addresses two issues:
1. If a client is previously enrolled in an IPA server and the server
gets re-installed then the client machine may still have a keyring
entry for the old server. This can cause a redirect from the
session URI to the negotiate one. As a rule, always clear the keyring
when enrolling a new client.
2. We save the NSS dbdir in the connection so that when creating a new
session we can determine if we need to re-initialize NSS or not. Most
of the time we do not. The dbdir was not always being preserved between
connections which could cause an NSS_Shutdown() to happen which would
fail because of existing usage. This preserves the dbdir information when
a new connection is created as part of the session mechanism.
https://fedorahosted.org/freeipa/ticket/3108
Diffstat (limited to 'ipa-client')
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee8e5831..7b057a98 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -42,6 +42,8 @@ try: from ipalib import api, errors from ipapython.dn import DN from ipapython.ssh import SSHPublicKey + from ipapython import kernel_keyring + from ipalib.rpc import COOKIE_NAME import SSSDConfig from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup @@ -1666,13 +1668,14 @@ def install(options, env, fstore, statestore): root_logger.info("Failed to add CA to the default NSS database.") return CLIENT_INSTALL_ERROR + host_principal = 'host/%s@%s' % (hostname, cli_realm) if options.on_master: # If on master assume kerberos is already configured properly. # Get the host TGT. os.environ['KRB5CCNAME'] = CCACHE_FILE try: run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', - 'host/%s@%s' % (hostname, cli_realm)]) + host_principal]) except CalledProcessError, e: root_logger.error("Failed to obtain host TGT.") return CLIENT_INSTALL_ERROR @@ -1693,6 +1696,12 @@ def install(options, env, fstore, statestore): root_logger.info( "Configured /etc/krb5.conf for IPA realm %s", cli_realm) + # Clear out any current session keyring information + try: + kernel_keyring.del_key(COOKIE_NAME % host_principal) + except ValueError: + pass + # Now, let's try to connect to the server's XML-RPC interface try: api.Backend.xmlclient.connect() |