[Freeipa-devel] [PATCH] Refactor keytab creation
Mark McLoughlin
markmc at redhat.com
Tue Dec 18 19:16:40 UTC 2007
# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1198001014 0
# Node ID 13d484285e734080056a379a6ed9a406ecef973d
# Parent e36901f77b15d1a0920dcfc49d590db937a6e478
Refactor keytab creation
There's a few places where we spawn of kadmin to add/modify
principals and create keytabs.
Refactor all that code into installutils.
Signed-off-by: Mark McLoughlin <markmc at redhat.com>
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/httpinstance.py Tue Dec 18 18:03:34 2007 +0000
@@ -26,7 +26,6 @@ import pwd
import pwd
import fileinput
import sys
-import time
import shutil
import service
@@ -88,28 +87,9 @@ class HTTPInstance(service.Service):
self.print_msg(selinux_warning)
def __create_http_keytab(self):
- try:
- if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
- os.remove("/etc/httpd/conf/ipa.keytab")
- except os.error:
- print "Failed to remove /etc/httpd/conf/ipa.keytab."
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- print "Error timed out waiting for kadmin to finish operations\n"
- sys.exit(1)
+ http_principal = "HTTP/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(http_principal)
+ installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal)
pent = pwd.getpwnam("apache")
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/installutils.py
--- a/ipa-server/ipaserver/installutils.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/installutils.py Tue Dec 18 18:03:34 2007 +0000
@@ -25,6 +25,9 @@ import re
import re
import fileinput
import sys
+import time
+
+from ipa import ipautil
def get_fqdn():
fqdn = ""
@@ -124,4 +127,36 @@ def update_file(filename, orig, subst):
print "File %s doesn't exist." % filename
return 1
+def kadmin(command):
+ (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+ kwrite.write(command)
+ kwrite.write("\n")
+ kwrite.flush()
+
+ for k in (kwrite, kread, kerr):
+ k.close()
+
+def kadmin_addprinc(principal):
+ kadmin("addprinc -randkey " + principal)
+
+def kadmin_modprinc(principal, options):
+ kadmin("modprinc " + options + " " + principal)
+
+def create_keytab(path, principal):
+ try:
+ if ipautil.file_exists(path):
+ os.remove(path)
+ except os.error:
+ logging.critical("Failed to remove %s." % path)
+
+ kadmin("ktadd -k " + path + " " + principal)
+
+ # give kadmin time to actually write the file before we go on
+ retry = 0
+ while not ipautil.file_exists(path):
+ time.sleep(1)
+ retry += 1
+ if retry > 15:
+ logging.critical("Error timed out waiting for kadmin to finish operations")
+ sys.exit(1)
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/krbinstance.py Tue Dec 18 18:03:34 2007 +0000
@@ -29,10 +29,10 @@ import os
import os
import pwd
import socket
-import time
import shutil
import service
+import installutils
from ipa import ipautil
from ipa import ipaerror
@@ -345,89 +345,26 @@ class KrbInstance(service.Service):
raise e
def __create_ds_keytab(self):
- try:
- if ipautil.file_exists("/etc/dirsrv/ds.keytab"):
- os.remove("/etc/dirsrv/ds.keytab")
- except os.error:
- logging.critical("Failed to remove /etc/dirsrv/ds.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/dirsrv/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/dirsrv/ds.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(ldap_principal)
+ installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
pent = pwd.getpwnam(self.ds_user)
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):
- try:
- if ipautil.file_exists("/etc/krb5.keytab"):
- os.remove("/etc/krb5.keytab")
- except os.error:
- logging.critical("Failed to remove /etc/krb5.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey host/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/krb5.keytab host/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/krb5.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ host_principal = "host/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(host_principal)
+ installutils.create_keytab("/etc/krb5.keytab", host_principal)
# Make sure access is strictly reserved to root only for now
os.chown("/etc/krb5.keytab", 0, 0)
os.chmod("/etc/krb5.keytab", 0600)
def __export_kadmin_changepw_keytab(self):
- try:
- if ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
- os.remove("/var/kerberos/krb5kdc/kpasswd.keytab")
- except os.error:
- logging.critical("Failed to remove /var/kerberos/krb5kdc/kpasswd.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("modprinc +requires_preauth kadmin/changepw\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("ktadd -k /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth")
+ installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw")
update_key_val_in_file("/etc/sysconfig/ipa-kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab")
pent = pwd.getpwnam(self.ds_user)
More information about the Freeipa-devel
mailing list