On 03.08.2016 19:18, Martin Basti wrote:
On 02.08.2016 20:02, Christian Heimes wrote:
On 2016-07-19 17:03, Martin Basti wrote:
On 12.07.2016 16:45, Christian Heimes wrote:
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
The server.keys file and all keys are now removed when during
uninstallation of a server, too.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056
NACK
ipa-server-install --uninstall doesn't work
I fixed it by splitting up uninstallation into two parts:
1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file
Hello,
1)
Is expected that after removing replica, ipa server-del
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on
master (vm-058-107)?
# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en
g.brq.redhat.com
dn:
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: digitalSignature
memberPrincipal:
host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br
Q.REDHAT.COM
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
DR8V2H1rJ0AiVPQIDAQAB
# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en
g.brq.redhat.com
dn:
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: dataEncipherment
memberPrincipal:
host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br
Q.REDHAT.COM
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
TIp7oPmFWMG/q1QIDAQAB
Also see them on replica as well (which was removed from topology)
I did not find any errors in http log
2)
I tried hard, but I cannot see relation between
https://fedorahosted.org/freeipa/ticket/6015 and
https://fedorahosted.org/freeipa/ticket/6056
IMO it should be separated into two patches, to make easier backports,
patching and make life easier in future with git blame
There should not be a BZ, only upstream tickets in commit
3)
IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but
it looks more consistent with the rest of log entries
INFO Remove Custodia keys
4)
the same for
root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'
5)
What is the purpose of remove_server_keys() in KEM.py . I see usage
only in manual testing. Can it be reused in server.py ? Because it
looks like duplicated code for me, but correct me if I'm wrong.
Martin^2
I received this when I tried to uninstall already uninstalled replica
(calling ipa-replica-install -U --uninstall twice)
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z INFO Remove Custodia keys
2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 91, in _handle_exception
super(Continuous, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 71, in _uninstall
for nothing in self._uninstaller(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1375, in main
uninstall(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 266, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1076, in uninstall
custodiainstance.CustodiaInstance().uninstall()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 88, in uninstall
self.__remove_keys()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 72, in __remove_keys
keystore = IPAKEMKeys({'server_keys': self.server_keys})
File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py",
line 193, in __init__
self.host = conf.get('global', 'host')
File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get
raise NoSectionError(section)
NoSectionError: No section: 'global'
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code