On 01/13/2016 10:31 AM, Martin Babinsky wrote:
On 01/07/2016 05:38 PM, Martin Babinsky wrote:
On 01/07/2016 05:37 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5584
And the patch is here.
self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.
Attaching updated patch.
--
Martin^3 Babinsky
From 0fe8f5e989f62c716f1de8159ca4d8c498106784 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <[email protected]>
Date: Thu, 7 Jan 2016 16:48:11 +0100
Subject: [PATCH 1/3] uninstallation: more robust check for master removal from
topology
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.
https://fedorahosted.org/freeipa/ticket/5584
---
ipaserver/install/server/install.py | 37 +++++++++++++++++++++++++++++++------
1 file changed, 31 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa048cc6d05490ec38e4f2808e7874cd8312704b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
from __future__ import print_function
+import gssapi
import os
import pickle
import pwd
@@ -291,26 +292,50 @@ def common_cleanup(func):
def check_master_deleted(api, masters, interactive):
+ """
+ Determine whether the IPA master was removed from the domain level 1
+ topology. The function first tries to locally lookup the master host entry
+ and fetches host prinicipal from DS. Then we attempt to acquire host TGT,
+ contact the other masters one at a time and query for the existence of the
+ host entry for our IPA master.
+
+ :param api: instance of API object
+ :param masters: list of masters to contact
+ :param interactive: whether run in interactive mode. The user will be
+ prompted for action if the removal status cannot be determined
+ :return: True if the master is not part of the topology anymore as
+ determined by the following conditions:
+ * the host entry does not exist in local DS
+ * we fail to get host TGT
+ * GSSAPI connection to remote DS fails on invalid authentication
+ * if we are the only master
+ False otherwise
+ """
try:
host_princ = api.Command.host_show(
api.env.host)['result']['krbprincipalname'][0]
- except Exception as e:
- root_logger.warning(
- "Failed to get host principal name: {0}".format(e)
+ except errors.NotFound:
+ root_logger.debug(
+ "Host entry for {} already deleted".format(api.env.host)
)
+ return True
+ except Exception as e:
+ root_logger.warning("Failed to get host principal name: {0}".format(e))
return False
ccache_path = os.path.join('/', 'tmp', 'krb5cc_host')
with ipautil.private_ccache(ccache_path):
+ # attempt to get host TGT. Failure to do this indicates that the
+ # master was removed from topology
try:
ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path)
- except Exception as e:
- root_logger.error(
+ except gssapi.exceptions.GSSError as e:
+ root_logger.debug(
"Kerberos authentication as '{0}' failed: {1}".format(
host_princ, e
)
)
- return False
+ return True
last_server = True
for master in masters:
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
