remove Kerberos authenticators when installing/uninstalling service instance

each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall

https://fedorahosted.org/freeipa/ticket/5243

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

7 files changed, 56 insertions, 8 deletions

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index b8f1b770a..813d48e50 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service):
             self.print_msg("Cannot add CIFS service: %s" % e)
 
         self.clean_samba_keytab()
+        installutils.remove_ccache(paths.KRB5CC_SAMBA)
 
         try:
             ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
@@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service):
             self.print_msg('WARNING: ' + str(e))
 
         # Remove samba's credentials cache
-        krb5cc_samba = paths.KRB5CC_SAMBA
-        installutils.remove_file(krb5cc_samba)
+        installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
 
         # Remove samba's configuration file
         installutils.remove_file(self.smb_conf)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 1d98926b2..6bfde83de 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1203,3 +1203,6 @@ class BindInstance(service.Service):
 
         if named_regular_running:
             self.named_regular.start()
+
+        installutils.remove_keytab(paths.NAMED_KEYTAB)
+        installutils.remove_ccache(run_as='named')
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 68130c925..b2ccc0274 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service):
 
     def __setup_principal(self):
         assert self.ods_gid is not None
+        installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
         dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dnssynckey_principal)
 
@@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service):
             os.remove(paths.DNSSEC_SOFTHSM_PIN)
         except Exception:
             pass
+
+        installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 15b23a870..7bdcaea31 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -937,8 +937,8 @@ class DsInstance(service.Service):
             root_logger.debug("Removing DS instance %s" % serverid)
             try:
                 remove_ds_instance(serverid)
-                root_logger.debug("Removing DS keytab")
-                installutils.remove_file(paths.DS_KEYTAB)
+                installutils.remove_keytab(paths.DS_KEYTAB)
+                installutils.remove_ccache(run_as=DS_USER)
             except ipautil.CalledProcessError:
                 root_logger.error("Failed to remove DS instance. You may "
                                   "need to remove instance data manually")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 53ccc24cc..305627031 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -187,6 +187,7 @@ class HTTPInstance(service.Service):
 
     def __create_http_keytab(self):
         if not self.promote:
+            installutils.remove_keytab(paths.IPA_KEYTAB)
             installutils.kadmin_addprinc(self.principal)
             installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
             self.move_service(self.principal)
@@ -198,7 +199,8 @@ class HTTPInstance(service.Service):
         # Clean up existing ccache
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
+        ipautil.run(
+            [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
 
     def __configure_http(self):
         target_fname = paths.HTTPD_IPA_CONF
@@ -497,9 +499,9 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
                 pass
 
-        # Remove the ccache file for the HTTPD service
-        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER,
-                    raiseonerr=False)
+        installutils.remove_keytab(paths.IPA_KEYTAB)
+        installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
+                                   run_as=HTTPD_USER)
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index b15fdc037..5cad05dd4 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -20,6 +20,7 @@
 from __future__ import absolute_import
 from __future__ import print_function
 
+import errno
 import socket
 import getpass
 import gssapi
@@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser):
         for dn in remaining_changes:
             root_logger.error(
                 "DN: %s does not exists or haven't been updated", dn)
+
+
+def remove_keytab(keytab_path):
+    """
+    Remove Kerberos keytab and issue a warning if the procedure fails
+
+    :param keytab_path: path to the keytab file
+    """
+    try:
+        root_logger.debug("Removing service keytab: {}".format(keytab_path))
+        os.remove(keytab_path)
+    except OSError as e:
+        if e.errno != errno.ENOENT:
+            root_logger.warning("Failed to remove Kerberos keytab '{}': "
+                                "{}".format(keytab_path, e))
+            root_logger.warning("You may have to remove it manually")
+
+
+def remove_ccache(ccache_path=None, run_as=None):
+    """
+    remove Kerberos credential cache, essentially a wrapper around kdestroy.
+
+    :param ccache_path: path to the ccache file
+    :param run_as: run kdestroy as this user
+    """
+    root_logger.debug("Removing service credentials cache")
+    kdestroy_cmd = [paths.KDESTROY]
+    if ccache_path is not None:
+        root_logger.debug("Ccache path: '{}'".format(ccache_path))
+        kdestroy_cmd.extend(['-c', ccache_path])
+
+    try:
+        ipautil.run(kdestroy_cmd, runas=run_as, env={})
+    except ipautil.CalledProcessError as e:
+        root_logger.warning(
+            "Failed to clear Kerberos credentials cache: {}".format(e))
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 27a9247de..2d072cc93 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service):
 
         if signerd_running:
             signerd_service.start()
+
+        installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
+        installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)