From ab4b7f7ca4a3a477df1cf61418f2d63755652dcc Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Mon, 14 May 2018 14:34:43 +0000
Subject: [PATCH] set ipaplatform to rhel for compatibilty for updates

---
 SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch |  111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 111 insertions(+), 0 deletions(-)

diff --git a/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
new file mode 100644
index 0000000..0a475e2
--- /dev/null
+++ b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
@@ -0,0 +1,111 @@
+From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 14 Mar 2018 16:13:17 +0100
+Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the
+ right master
+
+During ipa-replica-install, http installation first creates a service
+principal for http/hostname (locally on the soon-to-be-replica), then
+waits for this entry to be replicated on the master picked for the
+install.
+In a later step, the installer requests a certificate for HTTPd. The local
+certmonger first tries the master defined in xmlrpc_uri (which is
+pointing to the soon-to-be-replica), but fails because the service is not
+up yet. Then certmonger tries to find a master by using the DNS and looking
+for a ldap service. This step can pick a different master, where the
+principal entry has not always be replicated yet.
+As the certificate request adds the principal if it does not exist, we can
+end by re-creating the principal and have a replication conflict.
+
+The replication conflict later causes kerberos issues, preventing
+from installing a new replica.
+
+The proposed fix forces xmlrpc_uri to point to the same master as the one
+picked for the installation, in order to make sure that the master already
+contains the principal entry.
+
+https://pagure.io/freeipa/issue/7041
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++---
+ 1 file changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api):
+                          'on master: %s', str(e))
+ 
+ 
+-def create_ipa_conf(fstore, config, ca_enabled):
++def create_ipa_conf(fstore, config, ca_enabled, master=None):
++    """
++    Create /etc/ipa/default.conf master configuration
++    :param fstore: sysrestore file store used for backup and restore of
++                   the server configuration
++    :param config: replica config
++    :param ca_enabled: True if the topology includes a CA
++    :param master: if set, the xmlrpc_uri parameter will use the provided
++                   master instead of this host
++    """
+     # Save client file on Domain Level 1
+     target_fname = paths.IPA_DEFAULT_CONF
+     fstore.backup_file(target_fname)
+@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled):
+     ipaconf.setOptionAssignment(" = ")
+     ipaconf.setSectionNameDelimiters(("[", "]"))
+ 
+-    xmlrpc_uri = 'https://{0}/ipa/xml'.format(
+-                    ipautil.format_netloc(config.host_name))
++    if master:
++        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
++            ipautil.format_netloc(master))
++    else:
++        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
++                        ipautil.format_netloc(config.host_name))
+     ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format(
+                     installutils.realm_to_serverid(config.realm_name))
+ 
+@@ -1431,6 +1444,25 @@ def install(installer):
+     # we now need to enable ssl on the ds
+     ds.enable_ssl()
+ 
++    if promote:
++        # We need to point to the master when certmonger asks for
++        # HTTP certificate.
++        # During http installation, the HTTP/hostname principal is created
++        # locally then the installer waits for the entry to appear on the
++        # master selected for the installation.
++        # In a later step, the installer requests a SSL certificate through
++        # Certmonger (and the op adds the principal if it does not exist yet).
++        # If xmlrpc_uri points to the soon-to-be replica,
++        # the httpd service is not ready yet to handle certmonger requests
++        # and certmonger tries to find another master. The master can be
++        # different from the one selected for the installation, and it is
++        # possible that the principal has not been replicated yet. This
++        # may lead to a replication conflict.
++        # This is why we need to force the use of the same master by
++        # setting xmlrpc_uri
++        create_ipa_conf(fstore, config, ca_enabled,
++                        master=config.master_host_name)
++
+     install_http(
+         config,
+         auto_redirect=not options.no_ui_redirect,
+@@ -1439,6 +1471,10 @@ def install(installer):
+         ca_is_configured=ca_enabled,
+         ca_file=cafile)
+ 
++    if promote:
++        # Need to point back to ourself after the cert for HTTP is obtained
++        create_ipa_conf(fstore, config, ca_enabled)
++
+     otpd = otpdinstance.OtpdInstance()
+     otpd.create_instance('OTPD', config.host_name,
+                          ipautil.realm_to_suffix(config.realm_name))
+-- 
+2.14.3
+

--
Gitblit v1.8.0