pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0193-kra-promote-Get-ticket-before-calling-custodia.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   848136e6b9ad9f432934a8fb29db0b86b253988c
  2.   SOURCES
  3.   0193-kra-promote-Get-ticket-before-calling-custodia.patch
Blob History Raw
483b06 
From efd08380bbdda59a63afd584bc4c0ef3426b14ce Mon Sep 17 00:00:00 2001
483b06 
From: David Kupka <dkupka@redhat.com>
483b06 
Date: Wed, 14 Jun 2017 15:39:58 +0200
483b06 
Subject: [PATCH] kra: promote: Get ticket before calling custodia
483b06
483b06 
When installing second (or consequent) KRA instance keys are retrieved
483b06 
using custodia. Custodia checks that the keys are synchronized in
483b06 
master's directory server and the check uses GSSAPI and therefore fails
483b06 
if there's no ticket in ccache.
483b06
483b06 
https://pagure.io/freeipa/issue/7020
483b06
483b06 
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
483b06 
---
483b06 
 ipaserver/install/kra.py | 21 ++++++++++++++-------
483b06 
 1 file changed, 14 insertions(+), 7 deletions(-)
483b06
483b06 
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
483b06 
index f3454061280661d7b0fc2899142da9dc8783841a..3545b301a977f4b7e7801ca1ef87d594bb3ba54f 100644
483b06 
--- a/ipaserver/install/kra.py
483b06 
+++ b/ipaserver/install/kra.py
483b06 
@@ -10,6 +10,7 @@ import os
483b06 
 import shutil
483b06
483b06 
 from ipalib import api
483b06 
+from ipalib.install.kinit import kinit_keytab
483b06 
 from ipaplatform import services
483b06 
 from ipaplatform.paths import paths
483b06 
 from ipapython import certdb
483b06 
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
483b06 
             return
483b06 
         krafile = os.path.join(replica_config.dir, 'kracert.p12')
483b06 
         if options.promote:
483b06 
-            custodia = custodiainstance.CustodiaInstance(
483b06 
-                replica_config.host_name,
483b06 
-                replica_config.realm_name)
483b06 
-            custodia.get_kra_keys(
483b06 
-                replica_config.kra_host_name,
483b06 
-                krafile,
483b06 
-                replica_config.dirman_password)
483b06 
+            with ipautil.private_ccache():
483b06 
+                ccache = os.environ['KRB5CCNAME']
483b06 
+                kinit_keytab(
483b06 
+                    'host/{env.host}@{env.realm}'.format(env=api.env),
483b06 
+                    paths.KRB5_KEYTAB,
483b06 
+                    ccache)
483b06 
+                custodia = custodiainstance.CustodiaInstance(
483b06 
+                    replica_config.host_name,
483b06 
+                    replica_config.realm_name)
483b06 
+                custodia.get_kra_keys(
483b06 
+                    replica_config.kra_host_name,
483b06 
+                    krafile,
483b06 
+                    replica_config.dirman_password)
483b06 
         else:
483b06 
             cafile = os.path.join(replica_config.dir, 'cacert.p12')
483b06 
             if not ipautil.file_exists(cafile):
483b06 
--
483b06 
2.9.4
483b06

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation