[Freeipa-devel] [PATCH] 17 More exception handlers in ipa-client-install

Fri, 09 Mar 2012 05:18:36 -0800 

https://fedorahosted.org/freeipa/ticket/2415
https://fedorahosted.org/freeipa/ticket/1995

Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back. #2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back. #1995

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada


From e3e556d68f4f04df5ca948341d6b8c0384df47b6 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <oham...@redhat.com>
Date: Fri, 9 Mar 2012 13:04:23 +0100
Subject: [PATCH] More exception handlers in ipa-client-install

Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
---
 ipa-client/ipa-install/ipa-client-install |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 22c6a925672b1e5e769bf09eaf49e48988bbea41..604283ae4da3ac2e668d9475a77f7053d5bc0ab2 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1337,7 +1337,11 @@ def install(options, env, fstore, statestore):
         print "Configured /etc/sssd/sssd.conf"
 
     # Add the CA to the default NSS database and trust it
-    run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
+    try:
+        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
+    except CalledProcessError, e:
+        print >>sys.stderr, "Failed to add CA to the default NSS database."
+        return CLIENT_INSTALL_ERROR
 
     # If on master assume kerberos is already configured properly.
     if not options.on_master:
@@ -1354,6 +1358,9 @@ def install(options, env, fstore, statestore):
         api.Backend.xmlclient.connect()
     except CalledProcessError, e:
         print >>sys.stderr, "Failed to obtain host TGT."
+        # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP,
+        # abort installation and rollback changes
+        return CLIENT_INSTALL_ERROR
 
     if not options.on_master:
         client_dns(cli_server, hostname, options.dns_updates)
-- 
1.7.6.5


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to