mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
kra: promote: Get ticket before calling custodia
When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. https://pagure.io/freeipa/issue/7020 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
bf0ba9b36e
commit
342f72140f
@ -10,6 +10,7 @@ import os
|
|||||||
import shutil
|
import shutil
|
||||||
|
|
||||||
from ipalib import api
|
from ipalib import api
|
||||||
|
from ipalib.install.kinit import kinit_keytab
|
||||||
from ipaplatform import services
|
from ipaplatform import services
|
||||||
from ipaplatform.paths import paths
|
from ipaplatform.paths import paths
|
||||||
from ipapython import certdb
|
from ipapython import certdb
|
||||||
@ -84,13 +85,19 @@ def install(api, replica_config, options):
|
|||||||
return
|
return
|
||||||
krafile = os.path.join(replica_config.dir, 'kracert.p12')
|
krafile = os.path.join(replica_config.dir, 'kracert.p12')
|
||||||
if options.promote:
|
if options.promote:
|
||||||
custodia = custodiainstance.CustodiaInstance(
|
with ipautil.private_ccache():
|
||||||
replica_config.host_name,
|
ccache = os.environ['KRB5CCNAME']
|
||||||
replica_config.realm_name)
|
kinit_keytab(
|
||||||
custodia.get_kra_keys(
|
'host/{env.host}@{env.realm}'.format(env=api.env),
|
||||||
replica_config.kra_host_name,
|
paths.KRB5_KEYTAB,
|
||||||
krafile,
|
ccache)
|
||||||
replica_config.dirman_password)
|
custodia = custodiainstance.CustodiaInstance(
|
||||||
|
replica_config.host_name,
|
||||||
|
replica_config.realm_name)
|
||||||
|
custodia.get_kra_keys(
|
||||||
|
replica_config.kra_host_name,
|
||||||
|
krafile,
|
||||||
|
replica_config.dirman_password)
|
||||||
else:
|
else:
|
||||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
||||||
if not ipautil.file_exists(cafile):
|
if not ipautil.file_exists(cafile):
|
||||||
|
Loading…
Reference in New Issue
Block a user