install: request service certs after host keytab is set up

The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-07 07:44:21 +02:00 · 2017-04-07 07:44:21 +02:00 · 181cb94e74
commit 181cb94e74
parent ec52332229
3 changed files with 16 additions and 24 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -256,7 +256,7 @@ class DsInstance(service.Service):

    subject_base = ipautil.dn_attribute_property('_subject_base')

-    def __common_setup(self, enable_ssl=False):
+    def __common_setup(self):

        self.step("creating directory server user", create_ds_user)
        self.step("creating directory server instance", self.__create_instance)
@ -279,8 +279,6 @@ class DsInstance(service.Service):
        self.step("configuring topology plugin", self.__config_topology_module)
        self.step("creating indices", self.__create_indices)
        self.step("enabling referential integrity plugin", self.__add_referint_module)
-        if enable_ssl:
-            self.step("configuring TLS for DS instance", self.__enable_ssl)
        self.step("configuring certmap.conf", self.__certmap_conf)
        self.step("configure new location for managed entries", self.__repoint_managed_entries)
        self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
@ -356,8 +354,12 @@ class DsInstance(service.Service):
        self.steps = []

        self.step("configuring TLS for DS instance", self.__enable_ssl)
-        self.step("restarting directory server", self.__restart_instance)
+        if self.master_fqdn is None:
            self.step("adding CA certificate entry", self.__upload_ca_cert)
+        else:
+            self.step("importing CA certificates from LDAP",
+                      self.__import_ca_certs)
+        self.step("restarting directory server", self.__restart_instance)

        self.start_creation()

@ -391,21 +393,16 @@ class DsInstance(service.Service):
        self.promote = promote
        self.api = api

-        self.__common_setup(enable_ssl=(not self.promote))
+        self.__common_setup()
        self.step("restarting directory server", self.__restart_instance)

        self.step("creating DS keytab", self.request_service_keytab)
-        if self.promote:
-            self.step("configuring TLS for DS instance", self.__enable_ssl)
-            self.step("restarting directory server", self.__restart_instance)
-
        self.step("setting up initial replication", self.__setup_replica)
        self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
        self.step("updating schema", self.__update_schema)
        # See LDIFs for automember configuration during replica install
        self.step("setting Auto Member configuration", self.__add_replica_automember_config)
        self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
-        self.step("importing CA certificates from LDAP", self.__import_ca_certs)

        self.__common_post_setup()

--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -770,6 +770,13 @@ def install(installer):
            realm_name, host_name, domain_name, dm_password,
            options.subject_base, options.ca_subject, 1101, 1100, None)

+    krb = krbinstance.KrbInstance(fstore)
+    krb.create_instance(realm_name, host_name, domain_name,
+                        dm_password, master_password,
+                        setup_pkinit=not options.no_pkinit,
+                        pkcs12_info=pkinit_pkcs12_info,
+                        subject_base=options.subject_base)
+
    if setup_ca:
        if not options.external_cert_files and options.external_ca:
            # stage 1 of external CA installation
@ -793,17 +800,6 @@ def install(installer):
    # we now need to enable ssl on the ds
    ds.enable_ssl()

-    krb = krbinstance.KrbInstance(fstore)
-    krb.create_instance(realm_name, host_name, domain_name,
-                        dm_password, master_password,
-                        setup_pkinit=not options.no_pkinit,
-                        pkcs12_info=pkinit_pkcs12_info,
-                        subject_base=options.subject_base)
-
-    # restart DS to enable ipa-pwd-extop plugin
-    print("Restarting directory server to enable password extension plugin")
-    ds.restart()
-
    if setup_ca:
        ca.install_step_1(False, None, options)

--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -1422,9 +1422,8 @@ def install(installer):
        setup_pkinit=not options.no_pkinit,
        promote=promote)

-    # restart DS to enable ipa-pwd-extop plugin
-    print("Restarting directory server to enable password extension plugin")
-    ds.restart()
+    # we now need to enable ssl on the ds
+    ds.enable_ssl()

    install_http(
        config,