kra: promote: Get ticket before calling custodia

When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
David Kupka 2017-06-14 15:39:58 +02:00 committed by Martin Babinsky
parent bf0ba9b36e
commit 342f72140f

View File

@ -10,6 +10,7 @@ import os
import shutil import shutil
from ipalib import api from ipalib import api
from ipalib.install.kinit import kinit_keytab
from ipaplatform import services from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import certdb from ipapython import certdb
@ -84,13 +85,19 @@ def install(api, replica_config, options):
return return
krafile = os.path.join(replica_config.dir, 'kracert.p12') krafile = os.path.join(replica_config.dir, 'kracert.p12')
if options.promote: if options.promote:
custodia = custodiainstance.CustodiaInstance( with ipautil.private_ccache():
replica_config.host_name, ccache = os.environ['KRB5CCNAME']
replica_config.realm_name) kinit_keytab(
custodia.get_kra_keys( 'host/{env.host}@{env.realm}'.format(env=api.env),
replica_config.kra_host_name, paths.KRB5_KEYTAB,
krafile, ccache)
replica_config.dirman_password) custodia = custodiainstance.CustodiaInstance(
replica_config.host_name,
replica_config.realm_name)
custodia.get_kra_keys(
replica_config.kra_host_name,
krafile,
replica_config.dirman_password)
else: else:
cafile = os.path.join(replica_config.dir, 'cacert.p12') cafile = os.path.join(replica_config.dir, 'cacert.p12')
if not ipautil.file_exists(cafile): if not ipautil.file_exists(cafile):