[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys
Martin Basti
mbasti at redhat.com
Tue Jul 19 15:03:01 UTC 2016
On 12.07.2016 16:45, Christian Heimes wrote:
> Custodia's server.keys file contain the private RSA keys for encrypting
> and signing Custodia messages. The file was created with permission 644
> and is only secured by permission 700 of the directory
> /etc/ipa/custodia. The installer and upgrader ensure that the file
> has 600.
>
> The server.keys file and all keys are now removed when during
> uninstallation of a server, too.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
> https://fedorahosted.org/freeipa/ticket/6015
> https://fedorahosted.org/freeipa/ticket/6056
>
>
NACK
ipa-server-install --uninstall doesn't work
2016-07-19T15:00:34Z INFO Remove Custodia keys
2016-07-19T15:00:34Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 91, in _handle_exception
super(Continuous, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 71, in _uninstall
for nothing in self._uninstaller(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1367, in main
uninstall(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 265, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1075, in uninstall
custodiainstance.CustodiaInstance().uninstall()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 88, in uninstall
self.__remove_keys()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 74, in __remove_keys
keystore.remove_server_keys()
File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py",
line 224, in remove_server_keys
self.remove_keys('host')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py",
line 231, in remove_keys
ldapconn.remove_key(KEY_USAGE_SIG, principal)
File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py",
line 145, in remove_key
conn = self.connect()
File "/usr/lib/python2.7/site-packages/ipapython/secrets/common.py",
line 38, in connect
conn.sasl_interactive_bind_s('', auth_tokens)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
244, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160719/d4bf59a8/attachment.htm>
More information about the Freeipa-devel
mailing list