From 20f2650a8a23d288571fde552ed1c242cd972d88 Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Fri, 27 Oct 2017 09:05:20 +0200

Subject: [PATCH] Fix ipa-replica-conncheck when called with --principal

ipa-replica-conncheck can be called with --principal / --password or

with an existing Kerberos credential cache in order to supply the

authorized identity logging in to the master machine (in

auto-master-check mode).

In domain-level 0, the tool is called with --principal and password

and tries to obtain a TGT by performing kinit, but does not set the

env var KRB5CCNAME. Subsequent calls to IPA API do not use the

credential cache and fail. In this case, ipa-replica-conncheck falls

back to using SSH to check master connectivity instead of IPA API,

and the ssh check is less robust.

The code should set the KRB5CCNAME env var for IPA API to use the

credential cache.

Fixes:

https://pagure.io/freeipa/issue/7221

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 install/tools/ipa-replica-conncheck | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck

index 03281d1c7b6ee9f1d4cabebceb0c7e64b09601c0..545cdf00ca74289e6532a40de4c9abad5af4cee0 100755

--- a/install/tools/ipa-replica-conncheck

+++ b/install/tools/ipa-replica-conncheck

@@ -534,6 +534,9 @@ def main():

                 if result.returncode != 0:

                     raise RuntimeError("Could not get ticket for master server: %s" %

                                         result.error_output)

+                # Now that the cred cache file is initialized,

+                # use it for the IPA API calls

+                os.environ['KRB5CCNAME'] = CCACHE_FILE

             try:

                 root_logger.info("Check RPC connection to remote master")

-- 

2.9.5