[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

Mon, 12 Oct 2015 04:39:07 -0700 

Fixes https://fedorahosted.org/freeipa/ticket/5243

--
Martin^3 Babinsky

From fa66bd0a5277e04b231982dabad61614ec9eddec Mon Sep 17 00:00:00 2001
From: Martin Babinsky <[email protected]>
Date: Fri, 9 Oct 2015 18:08:38 +0200
Subject: [PATCH] remove Kerberos authenticators after service uninstall

each service possessing Kerberos keytab wiil now remove it and destroy any
associated credentials cache during its uninstall

https://fedorahosted.org/freeipa/ticket/5243
---
 ipaserver/install/bindinstance.py        |  2 ++
 ipaserver/install/dnskeysyncinstance.py  |  2 ++
 ipaserver/install/dsinstance.py          |  4 ++--
 ipaserver/install/httpinstance.py        |  6 +++---
 ipaserver/install/installutils.py        | 28 ++++++++++++++++++++++++++++
 ipaserver/install/odsexporterinstance.py |  4 ++++
 6 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index e8fdb3b83317f996959e4123b481f353c2f056c9..69abcc702eb8b1bf19c0f84f6efea7b6284dbaf1 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1203,3 +1203,5 @@ class BindInstance(service.Service):
 
         if named_regular_running:
             self.named_regular.start()
+
+        installutils.cleanup_krb5_credentials(paths.NAMED_KEYTAB, user='named')
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 68130c92558a4feb8d08fa826dbf6333d4461d1f..d02faeea5b204ace75c4e0f116a944e66c6bbc0a 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -497,3 +497,5 @@ class DNSKeySyncInstance(service.Service):
             os.remove(paths.DNSSEC_SOFTHSM_PIN)
         except Exception:
             pass
+
+        installutils.cleanup_krb5_credentials(paths.IPA_DNSKEYSYNCD_KEYTAB)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 312188273bbc2ddd6a0d4ff4e776cc6ad08a6f5e..e42e56a71882b7bf201beabab865a15ae53e9f7e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -869,8 +869,8 @@ class DsInstance(service.Service):
             root_logger.debug("Removing DS instance %s" % serverid)
             try:
                 remove_ds_instance(serverid)
-                root_logger.debug("Removing DS keytab")
-                installutils.remove_file(paths.DS_KEYTAB)
+                installutils.cleanup_krb5_credentials(paths.DS_KEYTAB,
+                                                      user=DS_USER)
             except ipautil.CalledProcessError:
                 root_logger.error("Failed to remove DS instance. You may "
                                   "need to remove instance data manually")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ee4853a3f9a8a42bd050fd8b208fc2419c323512..1ab5918a3c5214556840469cc702fbd753ec46af 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -492,9 +492,9 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
                 pass
 
-        # Remove the ccache file for the HTTPD service
-        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache',
-                    raiseonerr=False)
+        # Remove HTTPD service keytab and credentials cache
+        installutils.cleanup_krb5_credentials(
+            paths.IPA_KEYTAB, ccache=paths.KRB5CC_HTTPD, user='apache')
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 58be9f23384f0c1734d1ba7a14182f60817a32a8..92ee232d8046553e5f590097f1dc5151a8bd81ab 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1107,3 +1107,31 @@ def enable_and_start_oddjobd(sstore):
         oddjobd.start()
     except Exception as e:
         root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+
+
+def cleanup_krb5_credentials(keytab, ccache=None, user=None):
+    """
+    Remove service keytab and credential cache if they are defined
+    """
+    try:
+        root_logger.debug("Removing service keytab: {}".format(keytab))
+        os.remove(keytab)
+    except OSError as e:
+        if e.errno != 2:
+            root_logger.warning("Failed to remove Kerberos keytab '{}': "
+                                "{}".format(keytab, e))
+            root_logger.warning("You may have to remove it manually")
+
+    if ccache is None and user is None:
+        return
+
+    root_logger.debug("Removing service credentials cache")
+    kdestroy_cmd = [paths.KDESTROY, '-A']
+    if ccache is not None:
+        root_logger.debug("Ccache path: '{}'".format(ccache))
+        kdestroy_cmd.extend(['-c', ccache])
+
+    try:
+        ipautil.run(kdestroy_cmd, runas=user)
+    except ipautil.CalledProcessError as e:
+        root_logger.warning("Failed to clear Kerberos credentials cache:", e)
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index e9ba51027eb1386384361e3f0190c40267134e9e..7091b64f134ba12d380591ac828e63760d6a1a43 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -192,3 +192,7 @@ class ODSExporterInstance(service.Service):
 
         if signerd_running:
             signerd_service.start()
+
+        installutils.cleanup_krb5_credentials(
+            paths.IPA_ODS_EXPORTER_KEYTAB,
+            ccache=paths.IPA_ODS_EXPORTER_CCACHE)
-- 
2.4.3


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to