Drop use of kinit_as_http from trust code

The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

2 files changed, 3 insertions, 51 deletions

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index aa790b75f..f00141bb5 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -633,50 +633,6 @@ class DomainValidator(object):
         return u'S-%d-%d-%s' % (sid_rev_num, ia,
                                 '-'.join([str(s) for s in subs]),)
 
-    def kinit_as_http(self, domain):
-        """
-        Initializes ccache with http service credentials.
-
-        Applies session code defaults for ccache directory and naming prefix.
-        Session code uses kinit_+<pid>, we use
-        kinit_+<TD>+<domain netbios name> so there is no clash.
-
-        Returns tuple (ccache path, principal) where (None, None) signifes an
-        error on ccache initialization
-        """
-
-        domain_suffix = domain.replace('.', '-')
-
-        ccache_name = "kinit_TD%s" % (domain_suffix)
-        ccache_path = os.path.join(paths.IPA_CCACHES, ccache_name)
-
-        realm = api.env.realm
-        hostname = api.env.host
-        principal = 'HTTP/%s@%s' % (hostname, realm)
-        keytab = paths.IPA_KEYTAB
-
-        # Destroy the contents of the ccache
-        root_logger.debug('Destroying the contents of the separate ccache')
-
-        ipautil.run(
-            [paths.KDESTROY, '-A', '-c', ccache_path],
-            env={'KRB5CCNAME': ccache_path},
-            raiseonerr=False)
-
-        # Destroy the contents of the ccache
-        root_logger.debug('Running kinit from ipa.keytab to obtain HTTP '
-                          'service principal with MS-PAC attached.')
-
-        result = ipautil.run(
-            [paths.KINIT, '-kt', keytab, principal],
-            env={'KRB5CCNAME': ccache_path},
-            raiseonerr=False)
-
-        if result.returncode == 0:
-            return (ccache_path, principal)
-        else:
-            return (None, None)
-
     def kinit_as_administrator(self, domain):
         """
         Initializes ccache with http service credentials.
@@ -1481,7 +1437,9 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
             ccache_name, _principal = domval.kinit_as_administrator(
                 trustdomain)
         else:
-            ccache_name, _principal = domval.kinit_as_http(trustdomain)
+            raise errors.ValidationError(name=_('Credentials'),
+                                         error=_('Missing credentials for '
+                                                 'cross-forest communication'))
         td.creds = credentials.Credentials()
         td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
         if ccache_name:
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index c84b1aa08..3de245846 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1813,9 +1813,6 @@ class trustdomain_enable(LDAPQuery):
             if sid in trust_entry['ipantsidblacklistincoming']:
                 trust_entry['ipantsidblacklistincoming'].remove(sid)
                 ldap.update_entry(trust_entry)
-                # Force MS-PAC cache re-initialization on KDC side
-                domval = ipaserver.dcerpc.DomainValidator(self.api)
-                domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyActive()
         except errors.NotFound:
@@ -1854,9 +1851,6 @@ class trustdomain_disable(LDAPQuery):
             if not (sid in trust_entry['ipantsidblacklistincoming']):
                 trust_entry['ipantsidblacklistincoming'].append(sid)
                 ldap.update_entry(trust_entry)
-                # Force MS-PAC cache re-initialization on KDC side
-                domval = ipaserver.dcerpc.DomainValidator(self.api)
-                domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyInactive()
         except errors.NotFound: