diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2017-02-03 17:16:59 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-02-22 18:50:30 +0100 |
| commit | 8bac62b7f5d01ceb20388599e8549b1b222f283e (patch) | |
| tree | 117d82cc028c180d503bd6d6d07a91f3f42aa5a1 | |
| parent | ce3baf28ce81458e1c5bf57188858d3d120ec3dd (diff) | |
| download | freeipa-8bac62b7f5d01ceb20388599e8549b1b222f283e.tar.gz freeipa-8bac62b7f5d01ceb20388599e8549b1b222f283e.tar.xz freeipa-8bac62b7f5d01ceb20388599e8549b1b222f283e.zip | |
use the methods of the parent class to retrieve CIFS kerberos keys
adtrustinstance will now use parent's methods to retrieve keys for CIFS
principal. Since the keys are appended to the host keytab
(/etc/krb5.keytab) we need to make sure that only the stale CIFS keys
are purged from the file and that we do not re-set its ownership.
https://fedorahosted.org/freeipa/ticket/6638
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | ipaserver/install/adtrustinstance.py | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index c866cdd88..0b189854f 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -530,27 +530,18 @@ class ADTRUSTInstance(service.Service): api.Backend.ldap2, self.smb_dn, "member", [self.cifs_agent, self.host_princ]) - def __setup_principal(self): - try: - api.Command.service_add(unicode(self.principal)) - except errors.DuplicateEntry: - # CIFS principal already exists, it is not the first time - # adtrustinstance is managed - # That's fine, we we'll re-extract the key again. - pass - except Exception as e: - self.print_msg("Cannot add CIFS service: %s" % e) - + def clean_previous_keytab(self, keytab=None): + """ + Purge old CIFS keys from samba and clean up samba ccache + """ self.clean_samba_keytab() installutils.remove_ccache(paths.KRB5CC_SAMBA) - try: - ipautil.run(["ipa-getkeytab", "--server", self.fqdn, - "--principal", self.principal, - "-k", self.keytab]) - except ipautil.CalledProcessError: - root_logger.critical("Failed to add key for %s" - % self.principal) + def set_keytab_owner(self, keytab=None, owner=None): + """ + Do not re-set ownership of samba keytab + """ + pass def clean_samba_keytab(self): if os.path.exists(self.keytab): @@ -818,7 +809,8 @@ class ADTRUSTInstance(service.Service): self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) - self.step("adding cifs Kerberos principal", self.__setup_principal) + self.step("adding cifs Kerberos principal", + self.request_service_keytab) self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ self.__setup_group_membership) self.step("check for cifs services defined on other replicas", self.__check_replica) |