From 61d06ac1701a6a3a4afe75bcff64f271991a82ec Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Tue, 18 Aug 2015 18:33:37 +0200

Subject: [PATCH] improve the handling of krb5-related errors in dnssec daemons

ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully

instead of crashing with tracebacks.

https://fedorahosted.org/freeipa/ticket/5229

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 daemons/dnssec/ipa-dnskeysync-replica | 10 +++++++++-

 daemons/dnssec/ipa-dnskeysyncd        |  4 ++--

 daemons/dnssec/ipa-ods-exporter       | 10 +++++++++-

 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica

index 551c2f21d5b85b76a7281f719ce722a6c5830cf7..b80b38962957f922cc871ead471f8da0831bec4d 100755

--- a/daemons/dnssec/ipa-dnskeysync-replica

+++ b/daemons/dnssec/ipa-dnskeysync-replica

@@ -12,6 +12,7 @@ from binascii import hexlify

 from datetime import datetime

 import dns.dnssec

 import fcntl

+from krbV import Krb5Error

 import logging

 import os

 from pprint import pprint

@@ -141,7 +142,14 @@ log.setLevel(level=logging.DEBUG)

 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))

 log.debug('Kerberos principal: %s', PRINCIPAL)

 ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')

-ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename)

+

+try:

+    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB,

+                         ccache_filename, attempts=5)

+except Krb5Error as e:

+    log.critical('Kerberos authentication failed: %s', e)

+    sys.exit(1)

+

 os.environ['KRB5CCNAME'] = ccache_filename

 log.debug('Got TGT')

diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd

index a0fcf8b4b2f27627f3ebcb089e212eefda2adbd3..660e34b45084dd5a31967e9493f488632ec00932 100755

--- a/daemons/dnssec/ipa-dnskeysyncd

+++ b/daemons/dnssec/ipa-dnskeysyncd

@@ -66,9 +66,9 @@ PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))

 log.debug('Kerberos principal: %s', PRINCIPAL)

 ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')

 try:

-    ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)

+    ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)

 except Exception as ex:

-    log.critical(ex)

+    log.critical("Kerberos authentication failed: %s", ex)

     # signal failure and let init system to restart the daemon

     sys.exit(1)

 os.environ['KRB5CCNAME'] = ccache_filename

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter

index 4c6649c2fbfe77e563ab70276a92b59201fcbace..4d5423797fc9d4bdd0a432bac96b8209bb98c6d8 100755

--- a/daemons/dnssec/ipa-ods-exporter

+++ b/daemons/dnssec/ipa-ods-exporter

@@ -20,6 +20,7 @@ from datetime import datetime

 import dateutil.tz

 import dns.dnssec

 import fcntl

+from krbV import Krb5Error

 import logging

 import os

 import subprocess

@@ -482,7 +483,14 @@ ipalib.api.finalize()

 PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))

 log.debug('Kerberos principal: %s', PRINCIPAL)

 ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')

-ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name)

+

+try:

+    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,

+                         attempts=5)

+except Krb5Error as e:

+    log.critical('Kerberos authentication failed: %s', e)

+    sys.exit(1)

+

 os.environ['KRB5CCNAME'] = ccache_name

 log.debug('Got TGT')

-- 

2.4.3