You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
75 lines
2.7 KiB
75 lines
2.7 KiB
1 year ago
|
From bfeefaf454e3e705e509ed13b2e650ddfd487fa2 Mon Sep 17 00:00:00 2001
|
||
|
From: Thomas Woerner <twoerner@redhat.com>
|
||
|
Date: Wed, 8 Feb 2023 13:38:12 +0100
|
||
|
Subject: [PATCH] ipaclient: Fix allow_repair with removed krb5.conf and DNS
|
||
|
lookup
|
||
|
|
||
|
The test in ipaclient_test_keytab is at first trying to use an existing
|
||
|
krb5.conf to test if the host keytab can be used. With working DNS lookup
|
||
|
an absent krb5.conf is not reported as an error as DNS lookup is
|
||
|
silently used instead.
|
||
|
|
||
|
A temporary krb5.conf is now used in this test that forces to deactivate
|
||
|
DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now
|
||
|
detected properly as the kinit call fails now properly. Thanks to Julien
|
||
|
Rische for this proposal.
|
||
|
|
||
|
ipaclient_test_keytab is now properly returning the state of usable or
|
||
|
not usable krb5.conf in krb5_conf_ok. This fixes the handling of this
|
||
|
case later on in the role.
|
||
|
---
|
||
|
.../library/ipaclient_test_keytab.py | 27 +++++++++++++++++--
|
||
|
1 file changed, 25 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/roles/ipaclient/library/ipaclient_test_keytab.py b/roles/ipaclient/library/ipaclient_test_keytab.py
|
||
|
index a86b237..3f1c69d 100644
|
||
|
--- a/roles/ipaclient/library/ipaclient_test_keytab.py
|
||
|
+++ b/roles/ipaclient/library/ipaclient_test_keytab.py
|
||
|
@@ -159,11 +159,29 @@ def main():
|
||
|
ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
|
||
|
env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
|
||
|
|
||
|
- # First try: Validate krb5 keytab with system krb5 configuraiton
|
||
|
+ # First try: Validate with temporary test krb5.conf that forces
|
||
|
+ # 1) no DNS lookups and
|
||
|
+ # 2) to load /etc/krb5.conf:
|
||
|
+ #
|
||
|
+ # [libdefaults]
|
||
|
+ # dns_lookup_realm = false
|
||
|
+ # dns_lookup_kdc = false
|
||
|
+ # include /etc/krb5.conf
|
||
|
+ #
|
||
|
try:
|
||
|
+ (krb_fd, krb_name) = tempfile.mkstemp()
|
||
|
+ os.close(krb_fd)
|
||
|
+ content = "\n".join([
|
||
|
+ "[libdefaults]",
|
||
|
+ "dns_lookup_realm = false",
|
||
|
+ "dns_lookup_kdc = false",
|
||
|
+ "include /etc/krb5.conf"
|
||
|
+ ])
|
||
|
+ with open(krb_name, "w") as outf:
|
||
|
+ outf.write(content)
|
||
|
kinit_keytab(host_principal, paths.KRB5_KEYTAB,
|
||
|
paths.IPA_DNS_CCACHE,
|
||
|
- config=paths.KRB5_CONF,
|
||
|
+ config=krb_name,
|
||
|
attempts=kinit_attempts)
|
||
|
krb5_keytab_ok = True
|
||
|
krb5_conf_ok = True
|
||
|
@@ -177,6 +195,11 @@ def main():
|
||
|
pass
|
||
|
except GSSError:
|
||
|
pass
|
||
|
+ finally:
|
||
|
+ try:
|
||
|
+ os.remove(krb_name)
|
||
|
+ except OSError:
|
||
|
+ module.fail_json(msg="Could not remove %s" % krb_name)
|
||
|
|
||
|
# Second try: Validate krb5 keytab with temporary krb5
|
||
|
# configuration
|
||
|
--
|
||
|
2.39.2
|
||
|
|