Clear kernel keyring in client installer, save dbdir on new connections

This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
author: Rob Crittenden <rcritten@redhat.com> 2012-10-01 13:05:11 -0400
committer: Martin Kosek <mkosek@redhat.com> 2012-10-03 19:22:00 +0200
commit: 5bf1cee702e36667300bff4768755dd61f694367 (patch)
tree: 6aac3b0dd04310a5b525504dedecd5659b52ab88 /ipalib/rpc.py
parent: 9c0426c3ed6045e3af54c5c00be23bb63eb92606 (diff)
download: freeipa-5bf1cee702e36667300bff4768755dd61f694367.tar.gz
freeipa-5bf1cee702e36667300bff4768755dd61f694367.tar.xz
freeipa-5bf1cee702e36667300bff4768755dd61f694367.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index fc135f4f6..e97536d9d 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -546,8 +546,23 @@ class xmlclient(Connectible):
                     # This shouldn't happen if we have a session but
                     # it isn't fatal.
                     pass
+
+                # Create a new serverproxy with the non-session URI. If there
+                # is an existing connection we need to save the NSS dbdir so
+                # we can skip an unnecessary NSS_Initialize() and avoid
+                # NSS_Shutdown issues.
                 serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
+
+                dbdir = None
+                current_conn = getattr(context, self.id, None)
+                if current_conn is not None:
+                    dbdir = getattr(current_conn.conn._ServerProxy__transport, 'dbdir', None)
+                    if dbdir is not None:
+                        self.debug('Using dbdir %s' % dbdir)
                 setattr(context, self.id, Connection(serverproxy, self.disconnect))
+                if dbdir is not None:
+                    current_conn = getattr(context, self.id, None)
+                    current_conn.conn._ServerProxy__transport.dbdir = dbdir
                 return self.forward(name, *args, **kw)
             raise NetworkError(uri=server, error=e.errmsg)
         except socket.error, e:
author	Rob Crittenden <rcritten@redhat.com>	2012-10-01 13:05:11 -0400
committer	Martin Kosek <mkosek@redhat.com>	2012-10-03 19:22:00 +0200
commit	5bf1cee702e36667300bff4768755dd61f694367 (patch)
tree	6aac3b0dd04310a5b525504dedecd5659b52ab88 /ipalib/rpc.py
parent	9c0426c3ed6045e3af54c5c00be23bb63eb92606 (diff)
download	freeipa-5bf1cee702e36667300bff4768755dd61f694367.tar.gz freeipa-5bf1cee702e36667300bff4768755dd61f694367.tar.xz freeipa-5bf1cee702e36667300bff4768755dd61f694367.zip