[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed

Ade Lee alee at redhat.com
Tue Jun 11 14:42:25 UTC 2013 

On Mon, 2013-06-10 at 16:35 +0200, Ana Krivokapic wrote:
> On 06/07/2013 10:23 AM, Tomas Babej wrote:
> 
> > On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
> > 
> > > On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> > > > On 05/15/2013 12:04 PM, Tomas Babej wrote:
> > > > > On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
> > > > > > Hello,
> > > > > > 
> > > > > > See the commit message for details.
> > > > > > 
> > > > > > https://fedorahosted.org/freeipa/ticket/3594
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > Freeipa-devel mailing list
> > > > > > Freeipa-devel at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > > > +    def regenerate_ca_file(self, ca_file):
> > > > > +        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
> > > > > +        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
> > > > > +
> > > > > +        os.write(dm_pwd_fd, self.dirman_password)
> > > > > +        os.close(dm_pwd_fd)
> > > > > +
> > > > > +        keydb_pwd = ''
> > > > > +        with open('/etc/pki/pki-tomcat/password.conf') as f:
> > > > > +            for line in f.readlines():
> > > > > +                key, value = line.strip().split('=')
> > > > > +                if key == 'internal':
> > > > > +                    keydb_pwd = value
> > > > > +                    break
> > > > > +
> > > > > +        os.write(keydb_pwd_fd, keydb_pwd)
> > > > > +        os.close(keydb_pwd_fd)
> > > > > +
> > > > > +        ipautil.run([
> > > > > +            '/usr/bin/PKCS12Export',
> > > > > +            '-d', '/etc/pki/pki-tomcat/alias/',
> > > > > +            '-p', keydb_pwd_fname,
> > > > > +            '-w', dm_pwd_fname,
> > > > > +            '-o', ca_file
> > > > > +        ])
> > > > > +
> > > > > 
> > > > > If the PKCS12Export call fails (returns non-zero code), we raise
> > > > > exception here, and the temporary files are never removed.
> > > > > 
> > > > > +        os.remove(dm_pwd_fname)
> > > > > +        os.remove(keydb_pwd_fname)
> > > > > 
> > > > > This might not be a big issue since mkstemp() call creates temporary
> > > > > file readable and writable only be given user ID,
> > > > > however, we should not leave files with passwords in plaintext on the
> > > > > disk if it is not necessary.
> > > > > 
> > > > > This can be easily prevented by wrapping the call up with
> > > > > try-chatch-finally block, or using raiseonerr=False options of run
> > > > > method.
> > > > Or by using ipautil.write_tmp_file() – the file it creates is always
> > > > removed after it's closed/garbage collected, and it has a name attribute.
> > > > 
> > > Updated patch uses `ipautil.write_tmp_file()`.
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Freeipa-devel mailing list
> > > Freeipa-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > I'm testing on a fairly updated F19 VM:
> > 
> > I'm getting the following error when preparing the replica info
> > file:
> > 
> > [root at vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
> > 192.168.122.213
> > Directory Manager (existing master) password: 
> > 
> > Preparing replica for vm-003.ipa.com from vm-002.ipa.com
> > Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> > -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned
> > non
> > 
> > When trying that manually:
> > 
> > [root at vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> > -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
> > Exception in thread "main" java.lang.NoClassDefFoundError:
> > org/mozilla/jss/util/PasswordCallback
> >     at java.lang.Class.getDeclaredMethods0(Native Method)
> >     at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
> >     at java.lang.Class.getMethod0(Class.java:2694)
> >     at java.lang.Class.getMethod(Class.java:1622)
> >     at
> > sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
> >     at
> > sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
> > Caused by: java.lang.ClassNotFoundException:
> > org.mozilla.jss.util.PasswordCallback
> >     at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
> >     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
> >     at java.security.AccessController.doPrivileged(Native Method)
> >     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
> >     at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
> >     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
> >     at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
> >     ... 6 more
> > 
> > We might need to investigate what causes this, and if the issue is
> > not on our side, file appropriate bugs.
> > 
> > Tomas
> 
> This is an bug in the PKCS12Export utility. I opened a Bugzilla for
> it: https://bugzilla.redhat.com/show_bug.cgi?id=972753.
> 
> Below is a workaround, as suggested by Ade:
> <alee> as for a workaround, you could simply edit the file that starts
> PKCS12Export
> <alee> edit /usr/bin/PKCS12Export
> <alee> after line 134, simply add the line :
> CP=/usr/lib/java/jss4.jar
> <alee> but thats just a temp fix for f19 only
> <alee> not the real fix,
> <alee> you'll need the real fix checked in to pass the patch
> 

Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2) to address this issue.

> -- 
> Regards,
> 
> Ana Krivokapic
> Associate Software Engineer
> FreeIPA team
> Red Hat Inc.

More information about the Freeipa-devel mailing list