diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-10-27 12:59:10 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:13:56 +0100 |
commit | 3d5161d7e943fc6d4d092d18fc980fd40d21a59f (patch) | |
tree | 2df71e8b07e46162adaf2815992dac56776c3956 /ipaclient/install/client.py | |
parent | 8e36e030910a4a6ec5ddb37cc19824f37b25ab51 (diff) | |
download | freeipa-3d5161d7e943fc6d4d092d18fc980fd40d21a59f.tar.gz freeipa-3d5161d7e943fc6d4d092d18fc980fd40d21a59f.tar.xz freeipa-3d5161d7e943fc6d4d092d18fc980fd40d21a59f.zip |
Separate function to purge IPA host principals from keytab
This functionality will be reused in the DL0 host enrollment
https://fedorahosted.org/freeipa/ticket/6434
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaclient/install/client.py')
-rw-r--r-- | ipaclient/install/client.py | 55 |
1 files changed, 31 insertions, 24 deletions
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 20ea06b25..04c26d5b7 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -613,7 +613,8 @@ def hardcode_ldap_server(cli_server): def configure_krb5_conf( cli_realm, cli_domain, cli_server, cli_kdc, dnsok, - options, filename, client_domain, client_hostname): + filename, client_domain, client_hostname, force=False, + configure_sssd=True): krbconf = IPAChangeConf("IPA Installer") krbconf.setOptionAssignment((" = ", " ")) @@ -637,7 +638,7 @@ def configure_krb5_conf( ] # SSSD include dir - if options.sssd: + if configure_sssd: opts.extend([ { 'name': 'includedir', @@ -651,7 +652,7 @@ def configure_krb5_conf( libopts = [ krbconf.setOption('default_realm', cli_realm) ] - if not dnsok or not cli_kdc or options.force: + if not dnsok or not cli_kdc or force: libopts.extend([ krbconf.setOption('dns_lookup_realm', 'false'), krbconf.setOption('dns_lookup_kdc', 'false') @@ -681,7 +682,7 @@ def configure_krb5_conf( # the following are necessary only if DNS discovery does not work kropts = [] - if not dnsok or not cli_kdc or options.force: + if not dnsok or not cli_kdc or force: # [realms] for server in cli_server: kropts.extend([ @@ -1901,6 +1902,25 @@ def configure_firefox(options, statestore, domain): root_logger.error("Firefox configuration failed.") +def purge_host_keytab(realm): + try: + ipautil.run([ + paths.IPA_RMKEYTAB, + '-k', paths.KRB5_KEYTAB, '-r', realm + ]) + except CalledProcessError as e: + if e.returncode not in (3, 5): + # 3 - Unable to open keytab + # 5 - Principal name or realm not found in keytab + root_logger.error( + "Error trying to clean keytab: " + "/usr/sbin/ipa-rmkeytab returned %s", e.returncode) + else: + root_logger.info( + "Removed old keys for realm %s from %s", + realm, paths.KRB5_KEYTAB) + + def install(options, env, fstore, statestore): dnsok = False @@ -2222,22 +2242,7 @@ def install(options, env, fstore, statestore): if not options.on_master: # Try removing old principals from the keytab - try: - ipautil.run([ - paths.IPA_RMKEYTAB, - '-k', paths.KRB5_KEYTAB, '-r', cli_realm - ]) - except CalledProcessError as e: - if e.returncode not in (3, 5): - # 3 - Unable to open keytab - # 5 - Principal name or realm not found in keytab - root_logger.error( - "Error trying to clean keytab: " - "/usr/sbin/ipa-rmkeytab returned %s", e.returncode) - else: - root_logger.info( - "Removed old keys for realm %s from %s", - cli_realm, paths.KRB5_KEYTAB) + purge_host_keytab(cli_realm) if options.hostname and not options.on_master: # skip this step when run by ipa-server-install as it always configures @@ -2299,10 +2304,11 @@ def install(options, env, fstore, statestore): cli_server=cli_server, cli_kdc=cli_kdc, dnsok=False, - options=options, filename=krb_name, client_domain=client_domain, - client_hostname=hostname) + client_hostname=hostname, + configure_sssd=options.sssd, + force=options.force) env['KRB5_CONFIG'] = krb_name ccache_dir = tempfile.mkdtemp(prefix='krbcc') ccache_name = os.path.join(ccache_dir, 'ccache') @@ -2508,10 +2514,11 @@ def install(options, env, fstore, statestore): cli_server=cli_server, cli_kdc=cli_kdc, dnsok=dnsok, - options=options, filename=paths.KRB5_CONF, client_domain=client_domain, - client_hostname=hostname) + client_hostname=hostname, + configure_sssd=options.sssd, + force=options.force) root_logger.info( "Configured /etc/krb5.conf for IPA realm %s", cli_realm) |