From efd08380bbdda59a63afd584bc4c0ef3426b14ce Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 14 Jun 2017 15:39:58 +0200
Subject: [PATCH] kra: promote: Get ticket before calling custodia
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.
https://pagure.io/freeipa/issue/7020
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
ipaserver/install/kra.py | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index f3454061280661d7b0fc2899142da9dc8783841a..3545b301a977f4b7e7801ca1ef87d594bb3ba54f 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -10,6 +10,7 @@ import os
import shutil
from ipalib import api
+from ipalib.install.kinit import kinit_keytab
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import certdb
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
return
krafile = os.path.join(replica_config.dir, 'kracert.p12')
if options.promote:
- custodia = custodiainstance.CustodiaInstance(
- replica_config.host_name,
- replica_config.realm_name)
- custodia.get_kra_keys(
- replica_config.kra_host_name,
- krafile,
- replica_config.dirman_password)
+ with ipautil.private_ccache():
+ ccache = os.environ['KRB5CCNAME']
+ kinit_keytab(
+ 'host/{env.host}@{env.realm}'.format(env=api.env),
+ paths.KRB5_KEYTAB,
+ ccache)
+ custodia = custodiainstance.CustodiaInstance(
+ replica_config.host_name,
+ replica_config.realm_name)
+ custodia.get_kra_keys(
+ replica_config.kra_host_name,
+ krafile,
+ replica_config.dirman_password)
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
if not ipautil.file_exists(cafile):
--
2.9.4