On 01/13/2016 10:31 AM, Martin Babinsky wrote:
On 01/07/2016 05:38 PM, Martin Babinsky wrote:
On 01/07/2016 05:37 PM, Martin Babinsky wrote:

And the patch is here.

self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.

Attaching updated patch.

Martin^3 Babinsky
From 0fe8f5e989f62c716f1de8159ca4d8c498106784 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 7 Jan 2016 16:48:11 +0100
Subject: [PATCH 1/3] uninstallation: more robust check for master removal from

When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

 ipaserver/install/server/install.py | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa048cc6d05490ec38e4f2808e7874cd8312704b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
 from __future__ import print_function
+import gssapi
 import os
 import pickle
 import pwd
@@ -291,26 +292,50 @@ def common_cleanup(func):
 def check_master_deleted(api, masters, interactive):
+    """
+    Determine whether the IPA master was removed from the domain level 1
+    topology. The function first tries to locally lookup the master host entry
+    and fetches host prinicipal from DS. Then we attempt to acquire host TGT,
+    contact the other masters one at a time and query for the existence of the
+    host entry for our IPA master.
+    :param api: instance of API object
+    :param masters: list of masters to contact
+    :param interactive: whether run in interactive mode. The user will be
+        prompted for action if the removal status cannot be determined
+    :return: True if the master is not part of the topology anymore as
+        determined by the following conditions:
+            * the host entry does not exist in local DS
+            * we fail to get host TGT
+            * GSSAPI connection to remote DS fails on invalid authentication
+            * if we are the only master
+        False otherwise
+    """
         host_princ = api.Command.host_show(
-    except Exception as e:
-        root_logger.warning(
-            "Failed to get host principal name: {0}".format(e)
+    except errors.NotFound:
+        root_logger.debug(
+            "Host entry for {} already deleted".format(api.env.host)
+        return True
+    except Exception as e:
+        root_logger.warning("Failed to get host principal name: {0}".format(e))
         return False
     ccache_path = os.path.join('/', 'tmp', 'krb5cc_host')
     with ipautil.private_ccache(ccache_path):
+        # attempt to get host TGT. Failure to do this indicates that the
+        # master was removed from topology
             ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path)
-        except Exception as e:
-            root_logger.error(
+        except gssapi.exceptions.GSSError as e:
+            root_logger.debug(
                 "Kerberos authentication as '{0}' failed: {1}".format(
                     host_princ, e
-            return False
+            return True
         last_server = True
         for master in masters:

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to