From 20f2650a8a23d288571fde552ed1c242cd972d88 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 27 Oct 2017 09:05:20 +0200 Subject: [PATCH] Fix ipa-replica-conncheck when called with --principal ipa-replica-conncheck can be called with --principal / --password or with an existing Kerberos credential cache in order to supply the authorized identity logging in to the master machine (in auto-master-check mode). In domain-level 0, the tool is called with --principal and password and tries to obtain a TGT by performing kinit, but does not set the env var KRB5CCNAME. Subsequent calls to IPA API do not use the credential cache and fail. In this case, ipa-replica-conncheck falls back to using SSH to check master connectivity instead of IPA API, and the ssh check is less robust. The code should set the KRB5CCNAME env var for IPA API to use the credential cache. Fixes: https://pagure.io/freeipa/issue/7221 Reviewed-By: Rob Crittenden --- install/tools/ipa-replica-conncheck | 3 +++ 1 file changed, 3 insertions(+) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 03281d1c7b6ee9f1d4cabebceb0c7e64b09601c0..545cdf00ca74289e6532a40de4c9abad5af4cee0 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -534,6 +534,9 @@ def main(): if result.returncode != 0: raise RuntimeError("Could not get ticket for master server: %s" % result.error_output) + # Now that the cred cache file is initialized, + # use it for the IPA API calls + os.environ['KRB5CCNAME'] = CCACHE_FILE try: root_logger.info("Check RPC connection to remote master") -- 2.9.5