diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2017-02-03 17:14:20 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-02-22 18:50:30 +0100 |
| commit | af998c4d30175fb3ecc148e1b3a7aca03ef9239a (patch) | |
| tree | 754036b811ebcaa7153e971a1370a5a09909ea21 /ipaserver | |
| parent | b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd (diff) | |
| download | freeipa-af998c4d30175fb3ecc148e1b3a7aca03ef9239a.tar.gz freeipa-af998c4d30175fb3ecc148e1b3a7aca03ef9239a.tar.xz freeipa-af998c4d30175fb3ecc148e1b3a7aca03ef9239a.zip | |
allow for more flexibility when requesting service keytab
The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.
The default actions should be usable by most installers without specific
overriding.
https://fedorahosted.org/freeipa/ticket/6638
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/service.py | 41 |
1 files changed, 26 insertions, 15 deletions
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index b9d1ffc63..80bb4bbe1 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -540,22 +540,35 @@ class Service(object): except errors.DuplicateEntry: pass + def clean_previous_keytab(self, keytab=None): + if keytab is None: + keytab = self.keytab + + self.fstore.backup_file(keytab) + try: + os.unlink(keytab) + except OSError: + pass + + def set_keytab_owner(self, keytab=None, owner=None): + if keytab is None: + keytab = self.keytab + if owner is None: + owner = self.service_user + + pent = pwd.getpwnam(owner) + os.chown(keytab, pent.pw_uid, pent.pw_gid) + def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): """ - backup and remove old service keytab (if present) and fetch a new one - using ipa-getkeytab. This assumes that the service principal is already - created in LDAP. By default GSSAPI authentication is used unless: + retrieve service keytab using ipa-getkeytab. This assumes that the + service principal is already created in LDAP. By default GSSAPI + authentication is used unless: * LDAPI socket is used and effective process UID is 0, then autobind is used by EXTERNAL SASL mech * self.dm_password is not none, then DM credentials are used to fetch keytab """ - self.fstore.backup_file(keytab) - try: - os.unlink(keytab) - except OSError: - pass - args = [paths.IPA_GETKEYTAB, '-k', keytab, '-p', principal, @@ -576,17 +589,15 @@ class Service(object): ipautil.run(args, nolog=nolog) def _request_service_keytab(self): - if any(attr is None for attr in (self.principal, self.keytab, - self.service_user)): + if any(attr is None for attr in (self.principal, self.keytab)): raise NotImplementedError( "service must have defined principal " - "name, keytab, and username") + "name and keytab") self._add_service_principal() + self.clean_previous_keytab() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - - pent = pwd.getpwnam(self.keytab_user) - os.chown(self.keytab, pent.pw_uid, pent.pw_gid) + self.set_keytab_owner() class SimpleServiceInstance(Service): |