[krb5] Fix error detection when starting kpropd/kadmind

Nalin Dahyabhai nalin at fedoraproject.org
Thu Aug 15 04:11:31 UTC 2013 

commit ee18500d9bf63fedace5dea8d090156e640e51e3
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Thu Aug 15 00:10:24 2013 -0400

    Fix error detection when starting kpropd/kadmind
    
    - drop a patch we're not applying
    - wrap kadmind and kpropd in scripts which check for the presence/absence
      of files which dictate particular exit codes before exec'ing the actual
      binaries, instead of trying to use ConditionPathExists in the unit files
      to accomplish that, so that we exit with failure properly when what we
      expect isn't actually in effect on the system (#800343)

 _kadmind       |   10 ++++++++++
 _kpropd        |   10 ++++++++++
 kadmin.service |    3 +--
 kprop.service  |    3 +--
 krb5.spec      |   22 +++++++++++++++++++---
 5 files changed, 41 insertions(+), 7 deletions(-)
---
diff --git a/_kadmind b/_kadmind
new file mode 100644
index 0000000..5088438
--- /dev/null
+++ b/_kadmind
@@ -0,0 +1,10 @@
+#!/bin/sh
+kadmind=/usr/sbin/kadmind
+if test -f /var/kerberos/krb5kdc/kpropd.acl ; then
+	echo $"Error. This appears to be a slave server, found kpropd.acl"
+	exit 6
+fi
+if ! test -x "$kadmind" ; then
+	exit 5
+fi
+exec "$kadmind" "$@"
diff --git a/_kpropd b/_kpropd
new file mode 100644
index 0000000..219e41c
--- /dev/null
+++ b/_kpropd
@@ -0,0 +1,10 @@
+#!/bin/sh
+kpropd=/usr/sbin/kpropd
+if ! test -f /var/kerberos/krb5kdc/kpropd.acl ; then
+	echo $"Error. This does not appear to be a slave server, kpropd.acl not found"
+	exit 6
+fi
+if ! test -x "$kpropd" ; then
+	exit 5
+fi
+exec "$kpropd" "$@"
diff --git a/kadmin.service b/kadmin.service
index 7775ea7..ede159e 100644
--- a/kadmin.service
+++ b/kadmin.service
@@ -1,13 +1,12 @@
 [Unit]
 Description=Kerberos 5 Password-changing and Administration
 After=syslog.target network.target
-ConditionPathExists=!/var/kerberos/krb5kdc/kpropd.acl
 
 [Service]
 Type=forking
 PIDFile=/var/run/kadmind.pid
 EnvironmentFile=-/etc/sysconfig/kadmin
-ExecStart=/usr/sbin/kadmind -P /var/run/kadmind.pid $KADMIND_ARGS
+ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS
 ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]
diff --git a/kprop.service b/kprop.service
index 99ba129..959a300 100644
--- a/kprop.service
+++ b/kprop.service
@@ -1,11 +1,10 @@
 [Unit]
 Description=Kerberos 5 Propagation
 After=syslog.target network.target
-ConditionPathExists=/var/kerberos/krb5kdc/kpropd.acl
 
 [Service]
 Type=forking
-ExecStart=/usr/sbin/kpropd -S
+ExecStart=/usr/sbin/_kpropd -S
 
 [Install]
 WantedBy=multi-user.target
diff --git a/krb5.spec b/krb5.spec
index 5409f20..0ea68db 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -45,6 +45,8 @@ Source2: kprop.service
 Source4: kadmin.service
 Source5: krb5kdc.service
 Source6: krb5.conf
+Source7: _kpropd
+Source8: _kadmind
 Source10: kdc.conf
 Source11: kadm5.acl
 Source19: krb5kdc.sysconfig
@@ -76,7 +78,6 @@ Patch59: krb5-1.10-kpasswd_tcp.patch
 Patch60: krb5-1.11-pam.patch
 Patch63: krb5-1.11-selinux-label.patch
 Patch71: krb5-1.11-dirsrv-accountlock.patch
-Patch75: krb5-pkinit-debug.patch
 Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
 Patch113: krb5-1.11-alpha1-init.patch
@@ -306,7 +307,6 @@ ln -s NOTICE LICENSE
 %patch56 -p1 -b .doublelog
 %patch59 -p1 -b .kpasswd_tcp
 %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
-#%patch75 -p1 -b .pkinit-debug
 %patch86 -p0 -b .debuginfo
 %patch105 -p1 -b .kvno
 %patch113 -p1 -b .init
@@ -507,6 +507,12 @@ for unit in \
 	# is an upgrade-time problem I'm in no hurry to deal with.
 	install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir}
 done
+mkdir -p $RPM_BUILD_ROOT%{_sbindir}
+for wrapper in \
+	%{SOURCE7} \
+	%{SOURCE8} ; do
+	install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/
+done
 %else
 mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
 for init in \
@@ -771,12 +777,14 @@ exit 0
 %{_sbindir}/kadmin.local
 %{_mandir}/man8/kadmin.local.8*
 %{_sbindir}/kadmind
+%{_sbindir}/_kadmind
 %{_mandir}/man8/kadmind.8*
 %{_sbindir}/kdb5_util
 %{_mandir}/man8/kdb5_util.8*
 %{_sbindir}/kprop
 %{_mandir}/man8/kprop.8*
 %{_sbindir}/kpropd
+%{_sbindir}/_kpropd
 %{_mandir}/man8/kpropd.8*
 %{_sbindir}/kproplog
 %{_mandir}/man8/kproplog.8*
@@ -902,6 +910,14 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu Aug 15 2013 Nalin Dahyabhai <nalin at redhat.com> 1.11.3-8
+- drop a patch we weren't not applying (build tooling)
+- wrap kadmind and kpropd in scripts which check for the presence/absence
+  of files which dictate particular exit codes before exec'ing the actual
+  binaries, instead of trying to use ConditionPathExists in the unit files
+  to accomplish that, so that we exit with failure properly when what we
+  expect isn't actually in effect on the system (#800343)
+
 * Mon Jul 29 2013 Nalin Dahyabhai <nalin at redhat.com> 1.11.3-7
 - attempt to account for UnversionedDocdirs for the -libs subpackage

More information about the scm-commits mailing list