[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Tomas Babej
tbabej at redhat.com
Fri Jun 7 08:23:36 UTC 2013
On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
> On 05/15/2013 12:29 PM, Petr Viktorin wrote:
>> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>>> Hello,
>>>>
>>>> See the commit message for details.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3594
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>> + def regenerate_ca_file(self, ca_file):
>>> + dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>>> + keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>>> +
>>> + os.write(dm_pwd_fd, self.dirman_password)
>>> + os.close(dm_pwd_fd)
>>> +
>>> + keydb_pwd = ''
>>> + with open('/etc/pki/pki-tomcat/password.conf') as f:
>>> + for line in f.readlines():
>>> + key, value = line.strip().split('=')
>>> + if key == 'internal':
>>> + keydb_pwd = value
>>> + break
>>> +
>>> + os.write(keydb_pwd_fd, keydb_pwd)
>>> + os.close(keydb_pwd_fd)
>>> +
>>> + ipautil.run([
>>> + '/usr/bin/PKCS12Export',
>>> + '-d', '/etc/pki/pki-tomcat/alias/',
>>> + '-p', keydb_pwd_fname,
>>> + '-w', dm_pwd_fname,
>>> + '-o', ca_file
>>> + ])
>>> +
>>>
>>> If the PKCS12Export call fails (returns non-zero code), we raise
>>> exception here, and the temporary files are never removed.
>>>
>>> + os.remove(dm_pwd_fname)
>>> + os.remove(keydb_pwd_fname)
>>>
>>> This might not be a big issue since mkstemp() call creates temporary
>>> file readable and writable only be given user ID,
>>> however, we should not leave files with passwords in plaintext on the
>>> disk if it is not necessary.
>>>
>>> This can be easily prevented by wrapping the call up with
>>> try-chatch-finally block, or using raiseonerr=False options of run
>>> method.
>> Or by using ipautil.write_tmp_file() -- the file it creates is always
>> removed after it's closed/garbage collected, and it has a name attribute.
>>
> Updated patch uses `ipautil.write_tmp_file()`.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:
I'm getting the following error when preparing the replica info file:
[root at vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
192.168.122.213
Directory Manager (existing master) password:
Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
When trying that manually:
[root at vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread "main" java.lang.NoClassDefFoundError:
org/mozilla/jss/util/PasswordCallback
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
at java.lang.Class.getMethod0(Class.java:2694)
at java.lang.Class.getMethod(Class.java:1622)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException:
org.mozilla.jss.util.PasswordCallback
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
We might need to investigate what causes this, and if the issue is not
on our side, file appropriate bugs.
Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130607/2b5cb4fe/attachment.htm>
More information about the Freeipa-devel
mailing list