On 01/07/2016 05:37 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5584
And the patch is here. -- Martin^3 Babinsky
From 43617fe3bbd4e72626bdf9f3c228c3585cc37d4b Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 7 Jan 2016 16:48:11 +0100 Subject: [PATCH] consider IPA master removed from topology when request for host TGT fails When uninstalling IPA master in domain level 1 topology, the code that checks for correct removal from topology will now consider failure to obtain host TGT as a sign that the master entry was already removed. https://fedorahosted.org/freeipa/ticket/5584 --- ipaserver/install/server/install.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa7e071fb88115f6b7737468656b3fdb8d7ebc98 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -4,6 +4,7 @@ from __future__ import print_function +import gssapi import os import pickle import pwd @@ -302,15 +303,17 @@ def check_master_deleted(api, masters, interactive): ccache_path = os.path.join('/', 'tmp', 'krb5cc_host') with ipautil.private_ccache(ccache_path): + # attempt to get host TGT. Failure to do this indicates that the + # master was removed from topology try: ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path) - except Exception as e: - root_logger.error( + except gssapi.exceptions.GSSError as e: + root_logger.debug( "Kerberos authentication as '{0}' failed: {1}".format( host_princ, e ) ) - return False + return True last_server = True for master in masters: -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code