[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed

Tomas Babej tbabej at redhat.com
Fri Jun 7 08:23:36 UTC 2013 

On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
> On 05/15/2013 12:29 PM, Petr Viktorin wrote:
>> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>>> Hello,
>>>>
>>>> See the commit message for details.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3594
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>> +    def regenerate_ca_file(self, ca_file):
>>> +        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>>> +        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>>> +
>>> +        os.write(dm_pwd_fd, self.dirman_password)
>>> +        os.close(dm_pwd_fd)
>>> +
>>> +        keydb_pwd = ''
>>> +        with open('/etc/pki/pki-tomcat/password.conf') as f:
>>> +            for line in f.readlines():
>>> +                key, value = line.strip().split('=')
>>> +                if key == 'internal':
>>> +                    keydb_pwd = value
>>> +                    break
>>> +
>>> +        os.write(keydb_pwd_fd, keydb_pwd)
>>> +        os.close(keydb_pwd_fd)
>>> +
>>> +        ipautil.run([
>>> +            '/usr/bin/PKCS12Export',
>>> +            '-d', '/etc/pki/pki-tomcat/alias/',
>>> +            '-p', keydb_pwd_fname,
>>> +            '-w', dm_pwd_fname,
>>> +            '-o', ca_file
>>> +        ])
>>> +
>>>
>>> If the PKCS12Export call fails (returns non-zero code), we raise
>>> exception here, and the temporary files are never removed.
>>>
>>> +        os.remove(dm_pwd_fname)
>>> +        os.remove(keydb_pwd_fname)
>>>
>>> This might not be a big issue since mkstemp() call creates temporary
>>> file readable and writable only be given user ID,
>>> however, we should not leave files with passwords in plaintext on the
>>> disk if it is not necessary.
>>>
>>> This can be easily prevented by wrapping the call up with
>>> try-chatch-finally block, or using raiseonerr=False options of run
>>> method.
>> Or by using ipautil.write_tmp_file() -- the file it creates is always
>> removed after it's closed/garbage collected, and it has a name attribute.
>>
> Updated patch uses `ipautil.write_tmp_file()`.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:

I'm getting the following error when preparing the replica info file:

[root at vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address 
192.168.122.213
Directory Manager (existing master) password:

Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p 
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non

When trying that manually:

[root at vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p 
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread "main" java.lang.NoClassDefFoundError: 
org/mozilla/jss/util/PasswordCallback
     at java.lang.Class.getDeclaredMethods0(Native Method)
     at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
     at java.lang.Class.getMethod0(Class.java:2694)
     at java.lang.Class.getMethod(Class.java:1622)
     at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
     at 
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException: 
org.mozilla.jss.util.PasswordCallback
     at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
     ... 6 more

We might need to investigate what causes this, and if the issue is not 
on our side, file appropriate bugs.

Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130607/2b5cb4fe/attachment.htm>

More information about the Freeipa-devel mailing list