[Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare

Simo Sorce Wed, 31 Aug 2011 11:06:54 -0700

We stopped using lpaddwd and kpasswd.keytab when we moved from
ipa_kpasswd to kadmind.


Unfortunately I forgot to remove their use in all places and didn't
notice issues during testing because I used a "dirty" virtual machine
that had a ldappwd file in place.

These patches get rid of these vestiges of the past and fix the replica
installation issues.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

>From 8e8cf07b530643290944d93314e1e43acb52d18d Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 31 Aug 2011 11:39:53 -0400
Subject: [PATCH 1/2] install: We do not need a ldap password anymore

Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.

Fixes: https://fedorahosted.org/freeipa/ticket/1743
---
 install/tools/ipa-replica-install |    3 +--
 install/tools/ipa-replica-prepare |    1 -
 ipaserver/install/krbinstance.py  |   10 ++--------
 3 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 6b97e0e93799c7cdb1b90fbe89a0f42a3c3d0b8d..a7c28c1ad40028657e71959176e960f4ff7a2d91 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -129,7 +129,6 @@ def install_replica_ds(config):
 
 def install_krb(config, setup_pkinit=False):
     krb = krbinstance.KrbInstance()
-    ldappwd_filename = config.dir + "/ldappwd"
     kpasswd_filename = config.dir + "/kpasswd.keytab"
 
     #pkinit files
@@ -141,7 +140,7 @@ def install_krb(config, setup_pkinit=False):
     krb.create_replica(config.realm_name,
                        config.master_host_name, config.host_name,
                        config.domain_name, config.dirman_password,
-                       ldappwd_filename, kpasswd_filename,
+                       kpasswd_filename,
                        setup_pkinit, pkcs12_info)
 
 def install_ca_cert(config):
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 0c88244b33f46aa87f4f619a0b7053ec14fd7603..647252e49548fd99e79d90da4dd5bf68e0475e2b 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -214,7 +214,6 @@ def copy_files(realm_name, dir):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 
     try:
-        shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
         shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
         shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
         if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 9956b9fb7fb69d8788d2e8472a7b68993f7d561d..1f499006ec8dd8811378412420b25d4d3af252b5 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -183,13 +183,12 @@ class KrbInstance(service.Service):
     def create_replica(self, realm_name,
                        master_fqdn, host_name,
                        domain_name, admin_password,
-                       ldap_passwd_filename, kpasswd_filename,
+                       kpasswd_filename,
                        setup_pkinit=False, pkcs12_info=None,
                        self_signed_ca=False, subject_base=None):
         self.pkcs12_info = pkcs12_info
         self.self_signed_ca = self_signed_ca
         self.subject_base = subject_base
-        self.__copy_ldap_passwd(ldap_passwd_filename)
         self.__copy_kpasswd_keytab(kpasswd_filename)
         self.master_fqdn = master_fqdn
 
@@ -212,11 +211,6 @@ class KrbInstance(service.Service):
         self.kpasswd = KpasswdInstance()
         self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
 
-    def __copy_ldap_passwd(self, filename):
-        self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
-        shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd")
-        os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
-
     def __copy_kpasswd_keytab(self, filename):
         self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
         shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab")
@@ -463,7 +457,7 @@ class KrbInstance(service.Service):
         except:
             pass
 
-        for f in ["/var/kerberos/krb5kdc/ldappwd", "/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
+        for f in ["/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
             try:
                 self.fstore.restore_file(f)
             except ValueError, error:
-- 
1.7.6

>From 717fd6a447bef3f6792f6104f37bb1120c764095 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 31 Aug 2011 11:45:07 -0400
Subject: [PATCH 2/2] install: We do not need a kpasswd keytab anymore

We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
---
 install/tools/ipa-replica-install |    2 --
 install/tools/ipa-replica-prepare |    1 -
 ipaserver/install/krbinstance.py  |   14 --------------
 3 files changed, 0 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a7c28c1ad40028657e71959176e960f4ff7a2d91..0d622628070ffe44122edb6a3c12732ddcad50eb 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -129,7 +129,6 @@ def install_replica_ds(config):
 
 def install_krb(config, setup_pkinit=False):
     krb = krbinstance.KrbInstance()
-    kpasswd_filename = config.dir + "/kpasswd.keytab"
 
     #pkinit files
     pkcs12_info = None
@@ -140,7 +139,6 @@ def install_krb(config, setup_pkinit=False):
     krb.create_replica(config.realm_name,
                        config.master_host_name, config.host_name,
                        config.domain_name, config.dirman_password,
-                       kpasswd_filename,
                        setup_pkinit, pkcs12_info)
 
 def install_ca_cert(config):
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 647252e49548fd99e79d90da4dd5bf68e0475e2b..9f935262aeda28ce6abd5ffe1517a09ad1bc41b6 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -214,7 +214,6 @@ def copy_files(realm_name, dir):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 
     try:
-        shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
         shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
         if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
             shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 1f499006ec8dd8811378412420b25d4d3af252b5..8f2cf2c051170bc068e70c5ff048a205dadb2027 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -167,7 +167,6 @@ class KrbInstance(service.Service):
         self.step("adding default ACIs", self.__add_default_acis)
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
         self.step("creating a keytab for the machine", self.__create_host_keytab)
-        self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
         if setup_pkinit:
             self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit)
@@ -183,13 +182,11 @@ class KrbInstance(service.Service):
     def create_replica(self, realm_name,
                        master_fqdn, host_name,
                        domain_name, admin_password,
-                       kpasswd_filename,
                        setup_pkinit=False, pkcs12_info=None,
                        self_signed_ca=False, subject_base=None):
         self.pkcs12_info = pkcs12_info
         self.self_signed_ca = self_signed_ca
         self.subject_base = subject_base
-        self.__copy_kpasswd_keytab(kpasswd_filename)
         self.master_fqdn = master_fqdn
 
         self.__common_setup(realm_name, host_name, domain_name, admin_password)
@@ -211,11 +208,6 @@ class KrbInstance(service.Service):
         self.kpasswd = KpasswdInstance()
         self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
 
-    def __copy_kpasswd_keytab(self, filename):
-        self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
-        shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab")
-        os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600)
-
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -399,12 +391,6 @@ class KrbInstance(service.Service):
 
         self.move_service_to_host(host_principal)
 
-    def __export_kadmin_changepw_keytab(self):
-        installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth")
-
-        self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
-        installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw")
-
     def __setup_pkinit(self):
         if self.self_signed_ca:
             ca_db = certs.CertDB(self.realm,
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare

Reply via email to