This removes old principals for the newly installed realm from /etc/krb5.keytab before client installation. The ticket also mentioned doing this for server/replica installs, but in that case the keytab is removed and created from scratch.

https://fedorahosted.org/freeipa/ticket/2698

--
PetrĀ³
From 693d60a9b9601ee12dc185c38bf68550b10e5d43 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 6 Jun 2012 10:44:06 -0400
Subject: [PATCH] Clean keytabs before installing new keys into them

In ipa-client-install (which is also called from server/replica
installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be
sure that there aren't any remnants from a previous install of
IPA or another KDC altogether.

https://fedorahosted.org/freeipa/ticket/2698
---
 ipa-client/ipa-install/ipa-client-install |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afc332a99757039679f9e4dfd1bdc63b376e6c6e..79df8972c14a94ca4380b433fa98bbc11476184a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1206,6 +1206,21 @@ def install(options, env, fstore, statestore):
     if not options.unattended and not user_input("Continue to configure the system with these values?", False):
         return CLIENT_INSTALL_ERROR
 
+    if not options.on_master:
+        # Try removing old principals from the keytab
+        try:
+            ipautil.run(['/usr/sbin/ipa-rmkeytab',
+                '-k', '/etc/krb5.keytab', '-r', cli_realm])
+        except CalledProcessError, e:
+            if e.returncode not in (3, 5):
+                # 3 - Unable to open keytab
+                # 5 - Principal name or realm not found in keytab
+                root_logger.error("Error trying to clean keytab: " +
+                    "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode)
+        else:
+            root_logger.info("Removed old keys for realm %s from %s" % (
+                cli_realm, '/etc/krb5.keytab'))
+
     if options.hostname and not options.on_master:
         # configure /etc/sysconfig/network to contain the hostname we set.
         # skip this step when run by ipa-server-install as it always configures
-- 
1.7.10.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to