ipa-replica-install: fix pkinit setup

commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.

The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.

Fixes: https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/cert.py

@@ -300,9 +300,11 @@ def ca_kdc_check(api_instance, hostname):
 
         ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}
 
-        if 'enabledservice' not in ipaconfigstring:
+        if 'enabledservice' not in ipaconfigstring \
+                and 'configuredservice' not in ipaconfigstring:
             raise errors.NotFound(
-                reason=_("enabledService not in ipaConfigString kdc entry"))
+                reason=_("enabledService/configuredService not in "
+                         "ipaConfigString kdc entry"))
 
     except errors.NotFound:
         raise errors.ACIError(