rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0193-kra-promote-Get-ticket-before-calling-custodia.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   460745326ba253b5c4924b624dbc2f0714a2af42
  2.   SOURCES
  3.   0193-kra-promote-Get-ticket-before-calling-custodia.patch
Blob History Raw
ac7d03 
From efd08380bbdda59a63afd584bc4c0ef3426b14ce Mon Sep 17 00:00:00 2001
ac7d03 
From: David Kupka <dkupka@redhat.com>
ac7d03 
Date: Wed, 14 Jun 2017 15:39:58 +0200
ac7d03 
Subject: [PATCH] kra: promote: Get ticket before calling custodia
ac7d03
ac7d03 
When installing second (or consequent) KRA instance keys are retrieved
ac7d03 
using custodia. Custodia checks that the keys are synchronized in
ac7d03 
master's directory server and the check uses GSSAPI and therefore fails
ac7d03 
if there's no ticket in ccache.
ac7d03
ac7d03 
https://pagure.io/freeipa/issue/7020
ac7d03
ac7d03 
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03 
---
ac7d03 
 ipaserver/install/kra.py | 21 ++++++++++++++-------
ac7d03 
 1 file changed, 14 insertions(+), 7 deletions(-)
ac7d03
ac7d03 
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
ac7d03 
index f3454061280661d7b0fc2899142da9dc8783841a..3545b301a977f4b7e7801ca1ef87d594bb3ba54f 100644
ac7d03 
--- a/ipaserver/install/kra.py
ac7d03 
+++ b/ipaserver/install/kra.py
ac7d03 
@@ -10,6 +10,7 @@ import os
ac7d03 
 import shutil
ac7d03
ac7d03 
 from ipalib import api
ac7d03 
+from ipalib.install.kinit import kinit_keytab
ac7d03 
 from ipaplatform import services
ac7d03 
 from ipaplatform.paths import paths
ac7d03 
 from ipapython import certdb
ac7d03 
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
ac7d03 
             return
ac7d03 
         krafile = os.path.join(replica_config.dir, 'kracert.p12')
ac7d03 
         if options.promote:
ac7d03 
-            custodia = custodiainstance.CustodiaInstance(
ac7d03 
-                replica_config.host_name,
ac7d03 
-                replica_config.realm_name)
ac7d03 
-            custodia.get_kra_keys(
ac7d03 
-                replica_config.kra_host_name,
ac7d03 
-                krafile,
ac7d03 
-                replica_config.dirman_password)
ac7d03 
+            with ipautil.private_ccache():
ac7d03 
+                ccache = os.environ['KRB5CCNAME']
ac7d03 
+                kinit_keytab(
ac7d03 
+                    'host/{env.host}@{env.realm}'.format(env=api.env),
ac7d03 
+                    paths.KRB5_KEYTAB,
ac7d03 
+                    ccache)
ac7d03 
+                custodia = custodiainstance.CustodiaInstance(
ac7d03 
+                    replica_config.host_name,
ac7d03 
+                    replica_config.realm_name)
ac7d03 
+                custodia.get_kra_keys(
ac7d03 
+                    replica_config.kra_host_name,
ac7d03 
+                    krafile,
ac7d03 
+                    replica_config.dirman_password)
ac7d03 
         else:
ac7d03 
             cafile = os.path.join(replica_config.dir, 'cacert.p12')
ac7d03 
             if not ipautil.file_exists(cafile):
ac7d03 
--
ac7d03 
2.9.4
ac7d03

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation