On 01/13/2016 10:31 AM, Martin Babinsky wrote:
On 01/07/2016 05:38 PM, Martin Babinsky wrote:
On 01/07/2016 05:37 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5584

And the patch is here.



self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.

Attaching updated patch.

--
Martin^3 Babinsky
From 0fe8f5e989f62c716f1de8159ca4d8c498106784 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 7 Jan 2016 16:48:11 +0100
Subject: [PATCH 1/3] uninstallation: more robust check for master removal from
 topology

When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

https://fedorahosted.org/freeipa/ticket/5584
---
 ipaserver/install/server/install.py | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa048cc6d05490ec38e4f2808e7874cd8312704b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import gssapi
 import os
 import pickle
 import pwd
@@ -291,26 +292,50 @@ def common_cleanup(func):
 
 
 def check_master_deleted(api, masters, interactive):
+    """
+    Determine whether the IPA master was removed from the domain level 1
+    topology. The function first tries to locally lookup the master host entry
+    and fetches host prinicipal from DS. Then we attempt to acquire host TGT,
+    contact the other masters one at a time and query for the existence of the
+    host entry for our IPA master.
+
+    :param api: instance of API object
+    :param masters: list of masters to contact
+    :param interactive: whether run in interactive mode. The user will be
+        prompted for action if the removal status cannot be determined
+    :return: True if the master is not part of the topology anymore as
+        determined by the following conditions:
+            * the host entry does not exist in local DS
+            * we fail to get host TGT
+            * GSSAPI connection to remote DS fails on invalid authentication
+            * if we are the only master
+        False otherwise
+    """
     try:
         host_princ = api.Command.host_show(
             api.env.host)['result']['krbprincipalname'][0]
-    except Exception as e:
-        root_logger.warning(
-            "Failed to get host principal name: {0}".format(e)
+    except errors.NotFound:
+        root_logger.debug(
+            "Host entry for {} already deleted".format(api.env.host)
         )
+        return True
+    except Exception as e:
+        root_logger.warning("Failed to get host principal name: {0}".format(e))
         return False
 
     ccache_path = os.path.join('/', 'tmp', 'krb5cc_host')
     with ipautil.private_ccache(ccache_path):
+        # attempt to get host TGT. Failure to do this indicates that the
+        # master was removed from topology
         try:
             ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path)
-        except Exception as e:
-            root_logger.error(
+        except gssapi.exceptions.GSSError as e:
+            root_logger.debug(
                 "Kerberos authentication as '{0}' failed: {1}".format(
                     host_princ, e
                 )
             )
-            return False
+            return True
 
         last_server = True
         for master in masters:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to