Split CA replica installation steps for domain level 0

Installation from replica file is broken because lightweight CA replication setup is attempted before Kerberos is set up. To fix the issue, explicitly execute step 1 before Kerberos setup, and step 2 afterwards. Part of: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-17 10:57:32 +10:00 · 2016-06-17 10:57:32 +10:00 · 0334693cfc
commit 0334693cfc
parent 88f7154f7f
1 changed files with 6 additions and 1 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -819,12 +819,17 @@ def install(installer):
        if ca_enabled:
            options.ra_p12 = config.dir + "/ra.p12"

-        ca.install(False, config, options)
+        ca.install_step_0(False, config, options)

    krb = install_krb(config, setup_pkinit=not options.no_pkinit)
    http = install_http(config, auto_redirect=not options.no_ui_redirect,
                        ca_is_configured=ca_enabled)

+    if config.setup_ca:
+        # Done after install_krb() because lightweight CA key
+        # retrieval setup needs to create kerberos principal.
+        ca.install_step_1(False, config, options)
+
    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', config.host_name, config.dirman_password,
                         ipautil.realm_to_suffix(config.realm_name))