Use the same kpasswd.keytab on all replicas.

If we generate a new keytab for each replica then effectively password
changes can only occur on the last replica created.

439905

ipa-server/ipa-install/ipa-replica-install

@@ -109,8 +109,10 @@ def install_ds(config):
 def install_krb(config):
     krb = krbinstance.KrbInstance()
     ldappwd_filename = config.dir + "/ldappwd"
+    kpasswd_filename = config.dir + "/kpasswd.keytab"
     krb.create_replica(config.ds_user, config.realm_name, config.host_name,
-                       config.domain_name, config.dirman_password, ldappwd_filename)
+                       config.domain_name, config.dirman_password,
+                       ldappwd_filename, kpasswd_filename)
 
 def install_http(config):
     # if we have a pkcs12 file, create the cert db from

ipa-server/ipa-install/ipa-replica-prepare

@@ -143,6 +143,7 @@ def copy_files(realm_name, dir):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
     try:
         shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") 
+        shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") 
         shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
         shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
         shutil.copy(config_dir + "/cacert.asc", dir + "/ca.crt")
@@ -190,6 +191,7 @@ def main():
 
     print "Packaging the replica into /var/lib/ipa/%s" % "replica-info-" + replica_fqdn
     ipautil.run(["/bin/tar", "cfz", "/var/lib/ipa/replica-info-" + replica_fqdn, "-C", top_dir, "realm_info"])
+    os.chmod("/var/lib/ipa/replica-info-" + replica_fqdn, 0600)
 
     shutil.rmtree(dir)
 

ipa-server/ipaserver/krbinstance.py

@@ -147,8 +147,9 @@ class KrbInstance(service.Service):
 
         self.kpasswd.create_instance()
 
-    def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename):
+    def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename):
         self.__copy_ldap_passwd(ldap_passwd_filename)
+        self.__copy_kpasswd_keytab(kpasswd_filename)
 
         self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
 
@@ -157,7 +158,6 @@ class KrbInstance(service.Service):
         self.step("configuring KDC", self.__create_replica_instance)
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
         self.step("creating a keytab for the machine", self.__create_host_keytab)
-        self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
 
         self.__common_post_setup()
 
@@ -170,6 +170,11 @@ class KrbInstance(service.Service):
         shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd")
         os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
 
+    def __copy_kpasswd_keytab(self, filename):
+        self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
+        shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab")
+        os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600)
+
 
     def __configure_kdc_account_password(self):
         hexpwd = ''