From 342f72140f9bd8b8db19f469ae4c56cac7492901 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Wed, 14 Jun 2017 15:39:58 +0200 Subject: [PATCH] kra: promote: Get ticket before calling custodia When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. https://pagure.io/freeipa/issue/7020 Reviewed-By: Stanislav Laznicka --- ipaserver/install/kra.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index f34540612..3545b301a 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -10,6 +10,7 @@ import os import shutil from ipalib import api +from ipalib.install.kinit import kinit_keytab from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb @@ -84,13 +85,19 @@ def install(api, replica_config, options): return krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: - custodia = custodiainstance.CustodiaInstance( - replica_config.host_name, - replica_config.realm_name) - custodia.get_kra_keys( - replica_config.kra_host_name, - krafile, - replica_config.dirman_password) + with ipautil.private_ccache(): + ccache = os.environ['KRB5CCNAME'] + kinit_keytab( + 'host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) + custodia = custodiainstance.CustodiaInstance( + replica_config.host_name, + replica_config.realm_name) + custodia.get_kra_keys( + replica_config.kra_host_name, + krafile, + replica_config.dirman_password) else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if not ipautil.file_exists(cafile):