URL: https://github.com/freeipa/freeipa/pull/5936 Author: rcritten Title: #5936: Provide more information in ipa-certupdate on ccache failure Action: opened
PR body: """ ipa-certupdate obtains host credentials to operate. If this fails with a ccache error this can be confusing if the user executing it already has admin credentails. Include the principal being retrieved and the keytab being used. This basically intercepts the exception to log additional information and lets the exception be handled at a higher level. https://pagure.io/freeipa/issue/8257 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> I've only reproduced this with contrived use-cases but when I did run into it during development debugging the root cause was difficult so providing this information can be useful. As for test automation, I think it's overkill. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5936/head:pr5936 git checkout pr5936
From 2a32c8b3c08ff3f9dcbf62a9a02dec3eb5274a83 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Fri, 30 Jul 2021 15:40:32 -0400 Subject: [PATCH] Provide more information in ipa-certupdate on ccache failure ipa-certupdate obtains host credentials to operate. If this fails with a ccache error this can be confusing if the user executing it already has admin credentails. Include the principal being retrieved and the keytab being used. This basically intercepts the exception to log additional information and lets the exception be handled at a higher level. https://pagure.io/freeipa/issue/8257 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaclient/install/ipa_certupdate.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 6311ffea9d9..42ad684367d 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -31,7 +31,7 @@ from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509 -from ipalib.constants import IPA_CA_NICKNAME, RENEWAL_CA_NAME +from ipalib.constants import FQDN, IPA_CA_NICKNAME, RENEWAL_CA_NAME from ipalib.util import check_client_configuration logger = logging.getLogger(__name__) @@ -62,6 +62,12 @@ def run(self): api.Backend.rpcclient.connect() run_with_args(api) api.Backend.rpcclient.disconnect() + except errors.CCacheError: + logger.error( + "Unable to obtain credentials for %s from /etc/krb5.keytab", + FQDN + ) + raise finally: if old_krb5ccname is None: del os.environ['KRB5CCNAME']
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
