diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-10-09 18:08:38 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-11-11 15:39:42 +0100 |
commit | 117bf5af8c5ffa63dc380cb331843396ce8b8286 (patch) | |
tree | f41a26b39e78bea6d08e3c17b79db52e19977204 | |
parent | 0152d16820e527060be3363f590c49544b51b710 (diff) | |
download | freeipa-117bf5af8c5ffa63dc380cb331843396ce8b8286.tar.gz freeipa-117bf5af8c5ffa63dc380cb331843396ce8b8286.tar.xz freeipa-117bf5af8c5ffa63dc380cb331843396ce8b8286.zip |
remove Kerberos authenticators when installing/uninstalling service instance
each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall
https://fedorahosted.org/freeipa/ticket/5243
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 3 | ||||
-rw-r--r-- | ipaserver/install/dnskeysyncinstance.py | 3 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 10 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 37 | ||||
-rw-r--r-- | ipaserver/install/odsexporterinstance.py | 3 |
7 files changed, 56 insertions, 8 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index b8f1b770a..813d48e50 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service): self.print_msg("Cannot add CIFS service: %s" % e) self.clean_samba_keytab() + installutils.remove_ccache(paths.KRB5CC_SAMBA) try: ipautil.run(["ipa-getkeytab", "--server", self.fqdn, @@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service): self.print_msg('WARNING: ' + str(e)) # Remove samba's credentials cache - krb5cc_samba = paths.KRB5CC_SAMBA - installutils.remove_file(krb5cc_samba) + installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA) # Remove samba's configuration file installutils.remove_file(self.smb_conf) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 1d98926b2..6bfde83de 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -1203,3 +1203,6 @@ class BindInstance(service.Service): if named_regular_running: self.named_regular.start() + + installutils.remove_keytab(paths.NAMED_KEYTAB) + installutils.remove_ccache(run_as='named') diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 68130c925..b2ccc0274 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service): def __setup_principal(self): assert self.ods_gid is not None + installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB) dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(dnssynckey_principal) @@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service): os.remove(paths.DNSSEC_SOFTHSM_PIN) except Exception: pass + + installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 15b23a870..7bdcaea31 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -937,8 +937,8 @@ class DsInstance(service.Service): root_logger.debug("Removing DS instance %s" % serverid) try: remove_ds_instance(serverid) - root_logger.debug("Removing DS keytab") - installutils.remove_file(paths.DS_KEYTAB) + installutils.remove_keytab(paths.DS_KEYTAB) + installutils.remove_ccache(run_as=DS_USER) except ipautil.CalledProcessError: root_logger.error("Failed to remove DS instance. You may " "need to remove instance data manually") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 53ccc24cc..305627031 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -187,6 +187,7 @@ class HTTPInstance(service.Service): def __create_http_keytab(self): if not self.promote: + installutils.remove_keytab(paths.IPA_KEYTAB) installutils.kadmin_addprinc(self.principal) installutils.create_keytab(paths.IPA_KEYTAB, self.principal) self.move_service(self.principal) @@ -198,7 +199,8 @@ class HTTPInstance(service.Service): # Clean up existing ccache # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env - ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) + ipautil.run( + [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF @@ -497,9 +499,9 @@ class HTTPInstance(service.Service): root_logger.debug(error) pass - # Remove the ccache file for the HTTPD service - ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER, - raiseonerr=False) + installutils.remove_keytab(paths.IPA_KEYTAB) + installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, + run_as=HTTPD_USER) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index b15fdc037..5cad05dd4 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -20,6 +20,7 @@ from __future__ import absolute_import from __future__ import print_function +import errno import socket import getpass import gssapi @@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser): for dn in remaining_changes: root_logger.error( "DN: %s does not exists or haven't been updated", dn) + + +def remove_keytab(keytab_path): + """ + Remove Kerberos keytab and issue a warning if the procedure fails + + :param keytab_path: path to the keytab file + """ + try: + root_logger.debug("Removing service keytab: {}".format(keytab_path)) + os.remove(keytab_path) + except OSError as e: + if e.errno != errno.ENOENT: + root_logger.warning("Failed to remove Kerberos keytab '{}': " + "{}".format(keytab_path, e)) + root_logger.warning("You may have to remove it manually") + + +def remove_ccache(ccache_path=None, run_as=None): + """ + remove Kerberos credential cache, essentially a wrapper around kdestroy. + + :param ccache_path: path to the ccache file + :param run_as: run kdestroy as this user + """ + root_logger.debug("Removing service credentials cache") + kdestroy_cmd = [paths.KDESTROY] + if ccache_path is not None: + root_logger.debug("Ccache path: '{}'".format(ccache_path)) + kdestroy_cmd.extend(['-c', ccache_path]) + + try: + ipautil.run(kdestroy_cmd, runas=run_as, env={}) + except ipautil.CalledProcessError as e: + root_logger.warning( + "Failed to clear Kerberos credentials cache: {}".format(e)) diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index 27a9247de..2d072cc93 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service): if signerd_running: signerd_service.start() + + installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB) + installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE) |