[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall
Martin Babinsky
mbabinsk at redhat.com
Wed Oct 14 06:15:00 UTC 2015
On 10/13/2015 02:52 PM, Simo Sorce wrote:
> On 13/10/15 04:04, Petr Spacek wrote:
>> On 13.10.2015 09:34, Martin Babinsky wrote:
>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>
>>>>> each service possessing Kerberos keytab wiil now remove it and
>>>>> destroy any
>>>>> associated credentials cache during its uninstall
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>>
>>>> BTW some time ago Simo proposed that we should remove caches and old
>>>> keytabs
>>>> during *install* so problems caused by failing uninstallation will
>>>> be fixed on
>>>> repeated install. This is yet another step towards idempotent
>>>> installer.
>>>>
>>>> To me this makes more sense than doing so on uninstall. Does it make
>>>> sense to
>>>> you, too?
>>>>
>>>
>>> If the problem is formulated like this (the endpoint is that services
>>> have
>>> their keytabs) then it makes more sense to me. I will rework the patch
>>> accordingly.
>>
>> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>>
>> Simo, does it make sense to do that on installation rather than
>> installation?
>
> Actually on a server re-install it may make sense to check if the keytab
> is valid and keep it if it is.
I'm not sure how can we keep the keytabs when reinstalling the server.
We are re-creating the service principals with new keys and thus have to
recreate keytabs anyway. I would argue that we should wipe them (and any
leftover credentials caches) before installation.
But maybe I have missed something.
> Make sure you do not break promotion by removing the host keytab or
> keytabs that have been legitimately created in the client.
>
I was not poking host keytabs in my patch specifically for this reason.
There is some code in ipa-client-install that handles principal removal
from /etc/krb5.keytab during client uninstall. And since this code is
run after IPA server uninstall I left it to do its job.
> But otherwise the direction is good.
>
> Simo.
>
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list