ac7d03
From 2bd0e49b7a7ba98a8ee6872cc7c3e619578c4431 Mon Sep 17 00:00:00 2001
ac7d03
From: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
Date: Wed, 5 Apr 2017 17:29:26 +0200
ac7d03
Subject: [PATCH] Stop requesting anonymous keytab and purge all references of
ac7d03
 it
ac7d03
ac7d03
anonymous kinit using keytab never worked so we may safely remove all
ac7d03
code that requests/uses it.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6830
ac7d03
ac7d03
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ac7d03
Reviewed-By: Martin Basti <mbasti@redhat.com>
ac7d03
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ac7d03
---
ac7d03
 ipaplatform/base/paths.py           |  1 -
ac7d03
 ipaserver/install/httpinstance.py   | 17 -----------------
ac7d03
 ipaserver/install/ipa_backup.py     |  1 -
ac7d03
 ipaserver/install/server/upgrade.py |  1 -
ac7d03
 4 files changed, 20 deletions(-)
ac7d03
ac7d03
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
ac7d03
index dbdd71ed0b4d69c1101db4aeb7d93152ab8aa730..f80c9e95ab875222887e3692ab80151f84345469 100644
ac7d03
--- a/ipaplatform/base/paths.py
ac7d03
+++ b/ipaplatform/base/paths.py
ac7d03
@@ -50,7 +50,6 @@ class BasePathNamespace(object):
ac7d03
     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
ac7d03
     OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
ac7d03
     HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
ac7d03
-    ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
ac7d03
     HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
ac7d03
     IDMAPD_CONF = "/etc/idmapd.conf"
ac7d03
     ETC_IPA = "/etc/ipa"
ac7d03
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
ac7d03
index f0a477e0bf16b03ed8b937279dad88e6e2b3aab6..7898c53bc02785e2750dba61a5696f079355c9d7 100644
ac7d03
--- a/ipaserver/install/httpinstance.py
ac7d03
+++ b/ipaserver/install/httpinstance.py
ac7d03
@@ -30,7 +30,6 @@ import locale
ac7d03
 
ac7d03
 import six
ac7d03
 
ac7d03
-from ipalib.constants import IPAAPI_USER
ac7d03
 from ipalib.install import certmonger
ac7d03
 from ipaserver.install import service
ac7d03
 from ipaserver.install import certs
ac7d03
@@ -42,7 +41,6 @@ from ipapython.ipa_log_manager import root_logger
ac7d03
 import ipapython.errors
ac7d03
 from ipaserver.install import sysupgrade
ac7d03
 from ipalib import api
ac7d03
-from ipalib.constants import ANON_USER
ac7d03
 from ipaplatform.constants import constants
ac7d03
 from ipaplatform.tasks import tasks
ac7d03
 from ipaplatform.paths import paths
ac7d03
@@ -158,7 +156,6 @@ class HTTPInstance(service.Service):
ac7d03
         self.step("adding URL rewriting rules", self.__add_include)
ac7d03
         self.step("configuring httpd", self.__configure_http)
ac7d03
         self.step("setting up httpd keytab", self.request_service_keytab)
ac7d03
-        self.step("retrieving anonymous keytab", self.request_anon_keytab)
ac7d03
         self.step("configuring Gssproxy", self.configure_gssproxy)
ac7d03
         self.step("setting up ssl", self.__setup_ssl)
ac7d03
         if self.ca_is_configured:
ac7d03
@@ -304,20 +301,6 @@ class HTTPInstance(service.Service):
ac7d03
             if certmonger_stopped:
ac7d03
                 certmonger.stop()
ac7d03
 
ac7d03
-    def request_anon_keytab(self):
ac7d03
-        parent = os.path.dirname(paths.ANON_KEYTAB)
ac7d03
-        if not os.path.exists(parent):
ac7d03
-            os.makedirs(parent, 0o755)
ac7d03
-
ac7d03
-        self.clean_previous_keytab(keytab=paths.ANON_KEYTAB)
ac7d03
-        self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER)
ac7d03
-
ac7d03
-        pent = pwd.getpwnam(IPAAPI_USER)
ac7d03
-        os.chmod(parent, 0o700)
ac7d03
-        os.chown(parent, pent.pw_uid, pent.pw_gid)
ac7d03
-
ac7d03
-        self.set_keytab_owner(keytab=paths.ANON_KEYTAB, owner=IPAAPI_USER)
ac7d03
-
ac7d03
     def create_password_conf(self):
ac7d03
         """
ac7d03
         This is the format of mod_nss pin files.
ac7d03
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
ac7d03
index f71a40bb06545c8d89d1e3fdbc37d5e6e1fe8d58..40f08d7d727a8b97b5996f15d27c1e20788e1473 100644
ac7d03
--- a/ipaserver/install/ipa_backup.py
ac7d03
+++ b/ipaserver/install/ipa_backup.py
ac7d03
@@ -120,7 +120,6 @@ class Backup(admintool.AdminTool):
ac7d03
     )
ac7d03
 
ac7d03
     files = (
ac7d03
-        paths.ANON_KEYTAB,
ac7d03
         paths.NAMED_CONF,
ac7d03
         paths.NAMED_KEYTAB,
ac7d03
         paths.RESOLV_CONF,
ac7d03
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
ac7d03
index 927acb011172de926773196eb1d032af8376f3d9..ea2918f5037898b6b8dc601441a439b6150d54e5 100644
ac7d03
--- a/ipaserver/install/server/upgrade.py
ac7d03
+++ b/ipaserver/install/server/upgrade.py
ac7d03
@@ -1795,7 +1795,6 @@ def upgrade_configuration():
ac7d03
                         KDC_KEY=paths.KDC_KEY,
ac7d03
                         CACERT_PEM=paths.CACERT_PEM)
ac7d03
     krb.add_anonymous_principal()
ac7d03
-    http.request_anon_keytab()
ac7d03
     setup_pkinit(krb)
ac7d03
 
ac7d03
     if not ds_running:
ac7d03
-- 
ac7d03
2.12.2
ac7d03