|
 |
fca774 |
From bfeefaf454e3e705e509ed13b2e650ddfd487fa2 Mon Sep 17 00:00:00 2001
|
|
|
fca774 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
fca774 |
Date: Wed, 8 Feb 2023 13:38:12 +0100
|
|
|
fca774 |
Subject: [PATCH] ipaclient: Fix allow_repair with removed krb5.conf and DNS
|
|
|
fca774 |
lookup
|
|
|
fca774 |
|
|
|
fca774 |
The test in ipaclient_test_keytab is at first trying to use an existing
|
|
|
fca774 |
krb5.conf to test if the host keytab can be used. With working DNS lookup
|
|
|
fca774 |
an absent krb5.conf is not reported as an error as DNS lookup is
|
|
|
fca774 |
silently used instead.
|
|
|
fca774 |
|
|
|
fca774 |
A temporary krb5.conf is now used in this test that forces to deactivate
|
|
|
fca774 |
DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now
|
|
|
fca774 |
detected properly as the kinit call fails now properly. Thanks to Julien
|
|
|
fca774 |
Rische for this proposal.
|
|
|
fca774 |
|
|
|
fca774 |
ipaclient_test_keytab is now properly returning the state of usable or
|
|
|
fca774 |
not usable krb5.conf in krb5_conf_ok. This fixes the handling of this
|
|
|
fca774 |
case later on in the role.
|
|
|
fca774 |
---
|
|
|
fca774 |
.../library/ipaclient_test_keytab.py | 27 +++++++++++++++++--
|
|
|
fca774 |
1 file changed, 25 insertions(+), 2 deletions(-)
|
|
|
fca774 |
|
|
|
fca774 |
diff --git a/roles/ipaclient/library/ipaclient_test_keytab.py b/roles/ipaclient/library/ipaclient_test_keytab.py
|
|
|
fca774 |
index a86b237..3f1c69d 100644
|
|
|
fca774 |
--- a/roles/ipaclient/library/ipaclient_test_keytab.py
|
|
|
fca774 |
+++ b/roles/ipaclient/library/ipaclient_test_keytab.py
|
|
|
fca774 |
@@ -159,11 +159,29 @@ def main():
|
|
|
fca774 |
ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
|
|
|
fca774 |
env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
|
|
|
fca774 |
|
|
|
fca774 |
- # First try: Validate krb5 keytab with system krb5 configuraiton
|
|
|
fca774 |
+ # First try: Validate with temporary test krb5.conf that forces
|
|
|
fca774 |
+ # 1) no DNS lookups and
|
|
|
fca774 |
+ # 2) to load /etc/krb5.conf:
|
|
|
fca774 |
+ #
|
|
|
fca774 |
+ # [libdefaults]
|
|
|
fca774 |
+ # dns_lookup_realm = false
|
|
|
fca774 |
+ # dns_lookup_kdc = false
|
|
|
fca774 |
+ # include /etc/krb5.conf
|
|
|
fca774 |
+ #
|
|
|
fca774 |
try:
|
|
|
fca774 |
+ (krb_fd, krb_name) = tempfile.mkstemp()
|
|
|
fca774 |
+ os.close(krb_fd)
|
|
|
fca774 |
+ content = "\n".join([
|
|
|
fca774 |
+ "[libdefaults]",
|
|
|
fca774 |
+ "dns_lookup_realm = false",
|
|
|
fca774 |
+ "dns_lookup_kdc = false",
|
|
|
fca774 |
+ "include /etc/krb5.conf"
|
|
|
fca774 |
+ ])
|
|
|
fca774 |
+ with open(krb_name, "w") as outf:
|
|
|
fca774 |
+ outf.write(content)
|
|
|
fca774 |
kinit_keytab(host_principal, paths.KRB5_KEYTAB,
|
|
|
fca774 |
paths.IPA_DNS_CCACHE,
|
|
|
fca774 |
- config=paths.KRB5_CONF,
|
|
|
fca774 |
+ config=krb_name,
|
|
|
fca774 |
attempts=kinit_attempts)
|
|
|
fca774 |
krb5_keytab_ok = True
|
|
|
fca774 |
krb5_conf_ok = True
|
|
|
fca774 |
@@ -177,6 +195,11 @@ def main():
|
|
|
fca774 |
pass
|
|
|
fca774 |
except GSSError:
|
|
|
fca774 |
pass
|
|
|
fca774 |
+ finally:
|
|
|
fca774 |
+ try:
|
|
|
fca774 |
+ os.remove(krb_name)
|
|
|
fca774 |
+ except OSError:
|
|
|
fca774 |
+ module.fail_json(msg="Could not remove %s" % krb_name)
|
|
|
fca774 |
|
|
|
fca774 |
# Second try: Validate krb5 keytab with temporary krb5
|
|
|
fca774 |
# configuration
|
|
|
fca774 |
--
|
|
|
fca774 |
2.39.2
|
|
|
fca774 |
|