IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

dsinstance: use keytab retrieval method from parent class

Browse Source 
DS replica can now use remote API and ipa-getkeytab to create service
principal and fetch the keytab in both domain levels. There is no need to use
KDC installer to do it.

https://fedorahosted.org/freeipa/ticket/6405

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Martin Babinsky
2016-11-03 18:13:28 +01:00
committed by Jan Cholasta
parent 6181844c0c
commit 3129b874a2
2 changed files with 3 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ipaserver/install/dsinstance.py
View File

@@ -390,8 +390,8 @@ class DsInstance(service.Service):
self.__common_setup(enable_ssl=(not self.promote)) self.__common_setup(enable_ssl=(not self.promote))
self.step("restarting directory server", self.__restart_instance) self.step("restarting directory server", self.__restart_instance)
self.step("creating DS keytab", self._request_service_keytab)
if self.promote: if self.promote:
self.step("creating DS keytab", self.__get_ds_keytab)
if self.ca_is_configured: if self.ca_is_configured:
self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("retrieving DS Certificate", self.__get_ds_cert)
self.step("restarting directory server", self.__restart_instance) self.step("restarting directory server", self.__restart_instance)
@@ -1224,29 +1224,14 @@ class DsInstance(service.Service):
if self.domainlevel is not None: if self.domainlevel is not None:
self._ldap_mod("domainlevel.ldif", self.sub_dict) self._ldap_mod("domainlevel.ldif", self.sub_dict)
def __get_ds_keytab(self): def _request_service_keytab(self):
super(DsInstance, self)._request_service_keytab()
self.fstore.backup_file(self.keytab)
try:
os.unlink(self.keytab)
except OSError:
pass
installutils.install_service_keytab(self.api,
self.principal,
self.master_fqdn,
self.keytab,
force_service_add=True)
# Configure DS to use the keytab # Configure DS to use the keytab
vardict = {"KRB5_KTNAME": self.keytab} vardict = {"KRB5_KTNAME": self.keytab}
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV, ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
replacevars=vardict) replacevars=vardict)
# Keytab must be owned by DS itself
pent = pwd.getpwnam(self.service_user)
os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
def __get_ds_cert(self): def __get_ds_cert(self):
subject = self.subject_base or DN(('O', self.realm)) subject = self.subject_base or DN(('O', self.realm))
nssdb_dir = config_dirname(self.serverid) nssdb_dir = config_dirname(self.serverid)

3
ipaserver/install/krbinstance.py
View File

@@ -177,9 +177,6 @@ class KrbInstance(service.Service):
self.__common_setup(realm_name, host_name, domain_name, admin_password) self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("configuring KDC", self.__configure_instance) self.step("configuring KDC", self.__configure_instance)
if not promote:
self.step("creating a keytab for the directory",
self.__create_ds_keytab)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
if setup_pkinit: if setup_pkinit:
self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)