Related to ticket  https://fedorahosted.org/freeipa/ticket/5273

Patches attached.

From 768bea7a23d75adf6a470ea7b52a6fc05950936e Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 1 Sep 2015 12:10:00 +0200
Subject: [PATCH 1/2] DNSSEC: backup and restore opendnssec zone list file

When zone list is not restored after unninstall, this may slow down
enbaling DNSSEC signing for zones and print unwanted
errors into log after new installation.

Related to: https://fedorahosted.org/freeipa/ticket/5273
---
 ipaserver/install/opendnssecinstance.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 383de77687abee452719933bd43eee6c5fa912ab..c92818f1a14f0f3f01eb042e96ca8a4c20a3df62 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -168,6 +168,9 @@ class OpenDNSSECInstance(service.Service):
         if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
             self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
 
+        if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
+            self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
+
         pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
         pin = pin_fd.read()
         pin_fd.close()
@@ -354,7 +357,8 @@ class OpenDNSSECInstance(service.Service):
                                  paths.IPA_KASP_DB_BACKUP)
 
         for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
-                  paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS]:
+                  paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS,
+                  paths.OPENDNSSEC_ZONELIST_FILE]:
             try:
                 self.fstore.restore_file(f)
             except ValueError as error:
-- 
2.4.3

From 6cec1173614fb43f94773b63b695ede2e9bfab1b Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 1 Sep 2015 16:17:16 +0200
Subject: [PATCH 2/2] DNSSEC: remove ccache and keytab of ipa-ods-exporter

Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273
---
 daemons/dnssec/ipa-ods-exporter          | 2 +-
 ipaplatform/base/paths.py                | 1 +
 ipaserver/install/odsexporterinstance.py | 7 +++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 9660cc784c4a56d1644eaa66b39061f7bfbad052..d8c84b7ce8edfc4474cb16dfdf9f7a95b74ea044 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -489,7 +489,7 @@ ipalib.api.finalize()
 # Kerberos initialization
 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
 log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
+ccache_name = paths.IPA_ODS_EXPORTER_CCACHE
 
 try:
     ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931..a407c1273f01b3465bcb1985dd41f2f242346a62 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -333,6 +333,7 @@ class BasePathNamespace(object):
     NAMED_RUN = "/var/named/data/named.run"
     VAR_OPENDNSSEC_DIR = "/var/opendnssec"
     OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
+    IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     KRB5CC_HTTPD = "/var/run/httpd/ipa/krbcache/krb5ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 20ba4fbd4d1d19469c2f70bf6d245f73277b95fe..e9ba51027eb1386384361e3f0190c40267134e9e 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -93,6 +93,13 @@ class ODSExporterInstance(service.Service):
 
     def __setup_principal(self):
         assert self.ods_uid is not None
+
+        for f in [paths.IPA_ODS_EXPORTER_CCACHE, paths.IPA_ODS_EXPORTER_KEYTAB]:
+            try:
+                os.remove(f)
+            except OSError:
+                pass
+
         dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dns_exporter_principal)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to