[Freeipa-devel] [freeipa PR#405][opened] ipa-restore must stop tracking PKINIT cert in the preparation phase

Thu, 19 Jan 2017 23:46:20 -0800 

   URL: https://github.com/freeipa/freeipa/pull/405
Author: flo-renaud
 Title: #405: ipa-restore must stop tracking PKINIT cert in the preparation 
phase
Action: opened

PR body:
"""
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/405/head:pr405
git checkout pr405

From 121388c4d8f7ce3fd6ba172904bd30564268db58 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 20 Jan 2017 08:33:22 +0100
Subject: [PATCH] ipa-restore must stop tracking PKINIT cert in the preparation
 phase

ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570
---
 ipaserver/install/ipa_restore.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 2fae215..89cf9e6 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -41,7 +41,7 @@
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
                                            get_cs_replication_manager)
 from ipaserver.install import installutils
-from ipaserver.install import dsinstance, httpinstance, cainstance
+from ipaserver.install import dsinstance, httpinstance, cainstance, krbinstance
 from ipapython import ipaldap
 import ipapython.errors
 from ipaplatform.constants import constants
@@ -821,6 +821,8 @@ def cert_restore_prepare(self):
             # When IPA is not installed, DS NSS DB does not exist
             pass
 
+        krbinstance.KrbInstance().stop_tracking_certs()
+
         for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'):
             filename = os.path.join(paths.IPA_NSSDB_DIR, basename)
             try:

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to