On 11/11/2015 10:36 AM, Martin Basti wrote:


On 10.11.2015 17:36, Petr Spacek wrote:
On 4.11.2015 11:56, Martin Babinsky wrote:
On 10/22/2015 05:32 PM, Petr Spacek wrote:
On 21.10.2015 17:55, Martin Babinsky wrote:
On 10/13/2015 09:17 AM, Petr Spacek wrote:
On 12.10.2015 13:38, Martin Babinsky wrote:
each service possessing Kerberos keytab wiil now remove it and
destroy any
associated credentials cache during its uninstall

https://fedorahosted.org/freeipa/ticket/5243
BTW some time ago Simo proposed that we should remove caches and
old keytabs
during *install* so problems caused by failing uninstallation will be
fixed on
repeated install. This is yet another step towards idempotent
installer.

To me this makes more sense than doing so on uninstall. Does it
make sense to
you, too?

Attaching updated patch that does cleanup also before each instance
creation.
It is a bit ugly I admit, but I couldn't think of a better way to
do it and
didn't want to poke into service/instance code more than neccesary.
NACK, but we are almost there!

* kdestroy -A is too aggressive and wipes root's keyring after each
run of
ipa-*-install utils.

* There are some scattered leftovers of ipautil.run['kdestroy'...]
in the
tree. Please get rid of them.

Thank you!

Attaching updated patch. It got lost somewhere in the list.
ACK, thank you for patience.


The patch needs rebase.
Rebased patch attached.

--
Martin^3 Babinsky
From a6615f4b0aa44056560149bcad059dba2929ed4f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 9 Oct 2015 18:08:38 +0200
Subject: [PATCH] remove Kerberos authenticators when installing/uninstalling
 service instance

each service possessing Kerberos keytab/ccache will now perform their removal
before service principal creation and during service uninstall

https://fedorahosted.org/freeipa/ticket/5243
---
 ipaserver/install/adtrustinstance.py     |  4 ++--
 ipaserver/install/bindinstance.py        |  3 +++
 ipaserver/install/dnskeysyncinstance.py  |  3 +++
 ipaserver/install/dsinstance.py          |  4 ++--
 ipaserver/install/httpinstance.py        | 10 +++++----
 ipaserver/install/installutils.py        | 37 ++++++++++++++++++++++++++++++++
 ipaserver/install/odsexporterinstance.py |  3 +++
 7 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index b8f1b770a574fdf80b5b40439d6cd9d83b094b68..813d48e50f179f936d7811c3c86b28fa98f24a50 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -540,6 +540,7 @@ class ADTRUSTInstance(service.Service):
             self.print_msg("Cannot add CIFS service: %s" % e)
 
         self.clean_samba_keytab()
+        installutils.remove_ccache(paths.KRB5CC_SAMBA)
 
         try:
             ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
@@ -937,8 +938,7 @@ class ADTRUSTInstance(service.Service):
             self.print_msg('WARNING: ' + str(e))
 
         # Remove samba's credentials cache
-        krb5cc_samba = paths.KRB5CC_SAMBA
-        installutils.remove_file(krb5cc_samba)
+        installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
 
         # Remove samba's configuration file
         installutils.remove_file(self.smb_conf)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 1d98926b2769c8f314af06e7b0ee2513774f950b..6bfde83de600df43e3430299100565e554a80583 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1203,3 +1203,6 @@ class BindInstance(service.Service):
 
         if named_regular_running:
             self.named_regular.start()
+
+        installutils.remove_keytab(paths.NAMED_KEYTAB)
+        installutils.remove_ccache(run_as='named')
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 68130c92558a4feb8d08fa826dbf6333d4461d1f..b2ccc027469a352c815963abfd0c0a61dd37297f 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -417,6 +417,7 @@ class DNSKeySyncInstance(service.Service):
 
     def __setup_principal(self):
         assert self.ods_gid is not None
+        installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
         dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dnssynckey_principal)
 
@@ -497,3 +498,5 @@ class DNSKeySyncInstance(service.Service):
             os.remove(paths.DNSSEC_SOFTHSM_PIN)
         except Exception:
             pass
+
+        installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 15b23a8704091fbcf54e5be52562f6da2eeb1d73..7bdcaea31dcdf593d1de3b98a2ddfb926c2ea990 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -937,8 +937,8 @@ class DsInstance(service.Service):
             root_logger.debug("Removing DS instance %s" % serverid)
             try:
                 remove_ds_instance(serverid)
-                root_logger.debug("Removing DS keytab")
-                installutils.remove_file(paths.DS_KEYTAB)
+                installutils.remove_keytab(paths.DS_KEYTAB)
+                installutils.remove_ccache(run_as=DS_USER)
             except ipautil.CalledProcessError:
                 root_logger.error("Failed to remove DS instance. You may "
                                   "need to remove instance data manually")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 53ccc24cc356b6b5027b58993374e5c6e759fd7e..30562703143883e1322d8ea763a1beebef993bfa 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -187,6 +187,7 @@ class HTTPInstance(service.Service):
 
     def __create_http_keytab(self):
         if not self.promote:
+            installutils.remove_keytab(paths.IPA_KEYTAB)
             installutils.kadmin_addprinc(self.principal)
             installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
             self.move_service(self.principal)
@@ -198,7 +199,8 @@ class HTTPInstance(service.Service):
         # Clean up existing ccache
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
+        ipautil.run(
+            [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
 
     def __configure_http(self):
         target_fname = paths.HTTPD_IPA_CONF
@@ -497,9 +499,9 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
                 pass
 
-        # Remove the ccache file for the HTTPD service
-        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER,
-                    raiseonerr=False)
+        installutils.remove_keytab(paths.IPA_KEYTAB)
+        installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
+                                   run_as=HTTPD_USER)
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index b15fdc03761e0edebbc57e3c5099e324c49b8f4d..5cad05dd46b000ae4d2ac98c1f2000484fe76cb8 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -20,6 +20,7 @@
 from __future__ import absolute_import
 from __future__ import print_function
 
+import errno
 import socket
 import getpass
 import gssapi
@@ -1339,3 +1340,39 @@ class ModifyLDIF(ldif.LDIFParser):
         for dn in remaining_changes:
             root_logger.error(
                 "DN: %s does not exists or haven't been updated", dn)
+
+
+def remove_keytab(keytab_path):
+    """
+    Remove Kerberos keytab and issue a warning if the procedure fails
+
+    :param keytab_path: path to the keytab file
+    """
+    try:
+        root_logger.debug("Removing service keytab: {}".format(keytab_path))
+        os.remove(keytab_path)
+    except OSError as e:
+        if e.errno != errno.ENOENT:
+            root_logger.warning("Failed to remove Kerberos keytab '{}': "
+                                "{}".format(keytab_path, e))
+            root_logger.warning("You may have to remove it manually")
+
+
+def remove_ccache(ccache_path=None, run_as=None):
+    """
+    remove Kerberos credential cache, essentially a wrapper around kdestroy.
+
+    :param ccache_path: path to the ccache file
+    :param run_as: run kdestroy as this user
+    """
+    root_logger.debug("Removing service credentials cache")
+    kdestroy_cmd = [paths.KDESTROY]
+    if ccache_path is not None:
+        root_logger.debug("Ccache path: '{}'".format(ccache_path))
+        kdestroy_cmd.extend(['-c', ccache_path])
+
+    try:
+        ipautil.run(kdestroy_cmd, runas=run_as, env={})
+    except ipautil.CalledProcessError as e:
+        root_logger.warning(
+            "Failed to clear Kerberos credentials cache: {}".format(e))
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 27a9247de82259ac84ba8e706c9a5e6f7dc3f01e..2d072cc9358266e9c6f549732bf7a56be054e2aa 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -193,3 +193,6 @@ class ODSExporterInstance(service.Service):
 
         if signerd_running:
             signerd_service.start()
+
+        installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
+        installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to