On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:

this patch fixes the installation problems on master on F19 with krb5 packages
= 1.11.2-6

1) Leaving cache_desc open:

+        (cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+        os.environ['KRB5CCNAME'] = cache_path

Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in
other places in installation.

2) What about other installers where we handle Kerberos auth, like

A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.

I moved the code responsible to PrivateCCache class, both for readability and conciseness.

Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt.

Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue.

My reasoning was flawed here, ipa-adtrust-install attempts to re-kinit admin ticket, so it needs the private ccache as well.

Sending one-liner fix.



From 0177d6a7f14b87f42647376001e6ac580ca38e57 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 5 Jun 2013 13:17:19 +0200
Subject: [PATCH] Use private ccache in ipa-adtrust-install

The ipa-adtrust-install script attempts to automatically re-kinit
admin user ticket, hence it needs private ccache or the usage
of the ipa-adtrust-install with sudo/su will fail.

 install/tools/ipa-adtrust-install | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5744c6f67aee5f55877d7ef1691e98dfdb8d8718..09831617de7daf03e876897eef1d99d9a1a4a8c6 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -405,5 +405,6 @@ information"""
     return 0
 if __name__ == '__main__':
-    run_script(main, log_file_name=log_file_name,
-            operation_name='ipa-adtrust-install')
+    with private_ccache():
+        run_script(main, log_file_name=log_file_name,
+                   operation_name='ipa-adtrust-install')

Freeipa-devel mailing list

Reply via email to