URL: https://github.com/freeipa/freeipa/pull/1675
Author: flo-renaud
 Title: #1675: [Backport][ipa-4-5] ipa-server-install: handle error when 
calling kdb5_util create
Action: opened

PR body:
This PR was opened automatically because PR #1664 was pushed to master and 
backport to ipa-4-5 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1675/head:pr1675
git checkout pr1675
From b2e2b2d83691059be8191977840951ef1ec7a9c3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 9 Mar 2018 11:45:57 +0100
Subject: [PATCH] ipa-server-install: handle error when calling kdb5_util

ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions

but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.

The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.

Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.

 ipaserver/install/krbinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 34fe46aa8e..5c15c3b8cf 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -324,8 +324,9 @@ def __init_ipa_kdb(self):
             ipautil.run(args, nolog=(self.master_password,), stdin=''.join(dialogue))
-        except ipautil.CalledProcessError:
-            print("Failed to initialize the realm container")
+        except ipautil.CalledProcessError as error:
+            logger.debug("kdb5_util failed with %s", error)
+            raise RuntimeError("Failed to initialize kerberos container")
     def __configure_instance(self):
         self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to