Configure affinity during server installation

Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.

When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:

 - existing server value in /etc/ipa/default.conf
 - the chosen CA host if the server doesn't provide one
 - the chosen KRA host if the server doesn't provide one

This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.

In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.

For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.

Fixes: https://pagure.io/freeipa/issue/9289

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipaserver/install/server/replicainstall.py

@@ -763,6 +763,20 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
         )
 
 
+def remote_connection(config):
+    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+    xmlrpc_uri = 'https://{}/ipa/xml'.format(
+        ipautil.format_netloc(config.master_host_name))
+    remote_api = create_api(mode=None)
+    remote_api.bootstrap(in_server=True,
+                         context='installer',
+                         confdir=paths.ETC_IPA,
+                         ldap_uri=ldapuri,
+                         xmlrpc_uri=xmlrpc_uri)
+    remote_api.finalize()
+    return remote_api
+
+
 @common_cleanup
 @preserve_enrollment_state
 def promote_check(installer):
@@ -929,16 +943,7 @@ def promote_check(installer):
         except ipautil.CalledProcessError:
             raise RuntimeError("ipa-certupdate failed to refresh certs.")
 
-    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
-    xmlrpc_uri = 'https://{}/ipa/xml'.format(
-        ipautil.format_netloc(config.master_host_name))
-    remote_api = create_api(mode=None)
-    remote_api.bootstrap(in_server=True,
-                         context='installer',
-                         confdir=paths.ETC_IPA,
-                         ldap_uri=ldapuri,
-                         xmlrpc_uri=xmlrpc_uri)
-    remote_api.finalize()
+    remote_api = remote_connection(config)
     installer._remote_api = remote_api
 
     with rpc_client(remote_api) as client:
@@ -1068,7 +1073,16 @@ def promote_check(installer):
             'CA', conn, preferred_cas
         )
         if ca_host is not None:
+            if config.master_host_name != ca_host:
+                conn.disconnect()
+                del remote_api
+                config.master_host_name = ca_host
+                remote_api = remote_connection(config)
+                installer._remote_api = remote_api
+                conn = remote_api.Backend.ldap2
+                conn.connect(ccache=installer._ccache)
             config.ca_host_name = ca_host
+            config.master_host_name = ca_host
             ca_enabled = True
             if options.dirsrv_cert_files:
                 logger.error("Certificates could not be provided when "
@@ -1107,7 +1121,17 @@ def promote_check(installer):
             'KRA', conn, preferred_kras
         )
         if kra_host is not None:
+            if config.master_host_name != kra_host:
+                conn.disconnect()
+                del remote_api
+                config.master_host_name = kra_host
+                remote_api = remote_connection(config)
+                installer._remote_api = remote_api
+                conn = remote_api.Backend.ldap2
+                conn.connect(ccache=installer._ccache)
             config.kra_host_name = kra_host
+            config.ca_host_name = kra_host
+            config.master_host_name = kra_host
             kra_enabled = True
             if options.setup_kra and options.server and \
                kra_host != options.server:
@@ -1224,6 +1248,24 @@ def install(installer):
     if tasks.configure_pkcs11_modules(fstore):
         print("Disabled p11-kit-proxy")
 
+    _hostname, _sep, host_domain = config.host_name.partition('.')
+    fstore.backup_file(paths.KRB5_CONF)
+
+    # Write a new krb5.conf in case any values changed finding the
+    # right server to configure against (for CA, KRA).
+    logger.debug("Installing against server %s", config.master_host_name)
+    configure_krb5_conf(
+        cli_realm=api.env.realm,
+        cli_domain=api.env.domain,
+        cli_server=[config.master_host_name],
+        cli_kdc=[config.master_host_name],
+        dnsok=False,
+        filename=paths.KRB5_CONF,
+        client_domain=host_domain,
+        client_hostname=config.host_name,
+        configure_sssd=False
+    )
+
     if installer._add_to_ipaservers:
         try:
             conn.connect(ccache=installer._ccache)

ipaserver/masters.py

@@ -127,6 +127,8 @@ def find_providing_servers(svcname, conn=None, preferred_hosts=(), api=api):
             )
         else:
             servers.insert(0, host_name)
+    logger.debug("Discovery: available servers for service '%s' are %s",
+                 svcname, ', '.join(servers))
     return servers
 
 
@@ -143,8 +145,11 @@ def find_providing_server(svcname, conn=None, preferred_hosts=(), api=api):
         svcname, conn=conn, preferred_hosts=preferred_hosts, api=api
     )
     if not servers:
+        logger.debug("Discovery: no '%s' service found.", svcname)
         return None
     else:
+        logger.debug("Discovery: using %s for '%s' service",
+                     servers[0], svcname)
         return servers[0]