From e7a876d88a0ed07de69d9654ebdbf8ebb7bda364 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 1 Sep 2015 16:17:16 +0200
Subject: DNSSEC: remove ccache and keytab of ipa-ods-exporter

Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 daemons/dnssec/ipa-ods-exporter          | 2 +-
 ipaplatform/base/paths.py                | 1 +
 ipaserver/install/odsexporterinstance.py | 7 +++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 4c7de851b..49be502d2 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -483,7 +483,7 @@ ipalib.api.finalize()
 # Kerberos initialization
 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
+ccache_name = paths.IPA_ODS_EXPORTER_CCACHE
 
 try:
     ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 5c8f25d6e..a407c1273 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -333,6 +333,7 @@ class BasePathNamespace(object):
     NAMED_RUN = "/var/named/data/named.run"
     VAR_OPENDNSSEC_DIR = "/var/opendnssec"
     OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
+    IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     KRB5CC_HTTPD = "/var/run/httpd/ipa/krbcache/krb5ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 20ba4fbd4..e9ba51027 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -93,6 +93,13 @@ class ODSExporterInstance(service.Service):
 
     def __setup_principal(self):
         assert self.ods_uid is not None
+
+        for f in [paths.IPA_ODS_EXPORTER_CCACHE, paths.IPA_ODS_EXPORTER_KEYTAB]:
+            try:
+                os.remove(f)
+            except OSError:
+                pass
+
         dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dns_exporter_principal)
 
-- 
cgit