[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed

Ana Krivokapic akrivoka at redhat.com
Mon Jun 10 14:35:43 UTC 2013 

On 06/07/2013 10:23 AM, Tomas Babej wrote:
> On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
>> On 05/15/2013 12:29 PM, Petr Viktorin wrote:
>>> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>>>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>>>> Hello,
>>>>>
>>>>> See the commit message for details.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3594
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> +    def regenerate_ca_file(self, ca_file):
>>>> +        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>>>> +        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>>>> +
>>>> +        os.write(dm_pwd_fd, self.dirman_password)
>>>> +        os.close(dm_pwd_fd)
>>>> +
>>>> +        keydb_pwd = ''
>>>> +        with open('/etc/pki/pki-tomcat/password.conf') as f:
>>>> +            for line in f.readlines():
>>>> +                key, value = line.strip().split('=')
>>>> +                if key == 'internal':
>>>> +                    keydb_pwd = value
>>>> +                    break
>>>> +
>>>> +        os.write(keydb_pwd_fd, keydb_pwd)
>>>> +        os.close(keydb_pwd_fd)
>>>> +
>>>> +        ipautil.run([
>>>> +            '/usr/bin/PKCS12Export',
>>>> +            '-d', '/etc/pki/pki-tomcat/alias/',
>>>> +            '-p', keydb_pwd_fname,
>>>> +            '-w', dm_pwd_fname,
>>>> +            '-o', ca_file
>>>> +        ])
>>>> +
>>>>
>>>> If the PKCS12Export call fails (returns non-zero code), we raise
>>>> exception here, and the temporary files are never removed.
>>>>
>>>> +        os.remove(dm_pwd_fname)
>>>> +        os.remove(keydb_pwd_fname)
>>>>
>>>> This might not be a big issue since mkstemp() call creates temporary
>>>> file readable and writable only be given user ID,
>>>> however, we should not leave files with passwords in plaintext on the
>>>> disk if it is not necessary.
>>>>
>>>> This can be easily prevented by wrapping the call up with
>>>> try-chatch-finally block, or using raiseonerr=False options of run
>>>> method.
>>> Or by using ipautil.write_tmp_file() -- the file it creates is always
>>> removed after it's closed/garbage collected, and it has a name attribute.
>>>
>> Updated patch uses `ipautil.write_tmp_file()`.
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> I'm testing on a fairly updated F19 VM:
>
> I'm getting the following error when preparing the replica info file:
>
> [root at vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
> 192.168.122.213
> Directory Manager (existing master) password:
>
> Preparing replica for vm-003.ipa.com from vm-002.ipa.com
> Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
> /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
>
> When trying that manually:
>
> [root at vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
> Exception in thread "main" java.lang.NoClassDefFoundError:
> org/mozilla/jss/util/PasswordCallback
>     at java.lang.Class.getDeclaredMethods0(Native Method)
>     at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
>     at java.lang.Class.getMethod0(Class.java:2694)
>     at java.lang.Class.getMethod(Class.java:1622)
>     at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
>     at
> sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
> Caused by: java.lang.ClassNotFoundException:
> org.mozilla.jss.util.PasswordCallback
>     at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>     at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
>     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
>     at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
>     ... 6 more
>
> We might need to investigate what causes this, and if the issue is not
> on our side, file appropriate bugs.
>
> Tomas

This is an bug in the PKCS12Export utility. I opened a Bugzilla for it:
https://bugzilla.redhat.com/show_bug.cgi?id=972753.

Below is a workaround, as suggested by Ade:
<alee> as for a workaround, you could simply edit the file that starts
PKCS12Export
<alee> edit /usr/bin/PKCS12Export
<alee> after line 134, simply add the line :  CP=/usr/lib/java/jss4.jar
<alee> but thats just a temp fix for f19 only
<alee> not the real fix,
<alee> you'll need the real fix checked in to pass the patch

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130610/706cc270/attachment.htm>

More information about the Freeipa-devel mailing list