Allow ipa-replica-conncheck to use default creds

If the user has already run kinit try to use those credentials. The user can always override by explicitly passing the -p flag. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-28 11:31:16 -04:00
parent f7d1e4f9a2
commit 5761f73e25
3 changed files with 79 additions and 39 deletions
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -40,11 +40,12 @@ import errno
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
+import gssapi

 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
 QUIET = False
-CCACHE_FILE = paths.CONNCHECK_CCACHE
+CCACHE_FILE = None
 KRB5_CONFIG = None

 class SshExec(object):
@@ -64,12 +65,22 @@ class SshExec(object):
            self.cmd,
            '-o StrictHostKeychecking=no',
            '-o UserKnownHostsFile=%s' % tmpf.name,
+            '-o GSSAPIAuthentication=yes',
            '%s@%s' % (self.user, self.addr), command
        ]
        if verbose:
            cmd.insert(1, '-v')

-        env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
+        env = dict()
+        if KRB5_CONFIG is not None:
+            env['KRB5_CONFIG'] = KRB5_CONFIG
+        elif 'KRB5_CONFIG' in os.environ:
+            env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
+        if CCACHE_FILE is not None:
+            env['KRB5CCNAME'] = CCACHE_FILE
+        elif 'KRB5CCNAME' in os.environ:
+            env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
+
        return ipautil.run(cmd, env=env, raiseonerr=False)


@@ -110,7 +121,7 @@ def parse_options():
    replica_group.add_option("-k", "--kdc", dest="kdc",
                      help="Master KDC. Defaults to master address")
    replica_group.add_option("-p", "--principal", dest="principal",
-                      default="admin", help="Principal to use to log in to remote master")
+                      default=None, help="Principal to use to log in to remote master")
    replica_group.add_option("-w", "--password", dest="password", sensitive=True,
                      help="Password for the principal"),
    parser.add_option_group(replica_group)
@@ -352,19 +363,36 @@ def main():
        remote_check_opts = ['--replica %s' % options.hostname]

        if options.auto_master_check:
+            print_info("Get credentials to log in to remote master")
+            cred = None
+            if options.principal is None:
+                # Check if ccache is available
+                try:
+                    root_logger.debug('KRB5CCNAME set to %s' %
+                                      os.environ.get('KRB5CCNAME', None))
+                    # get default creds, will raise if none found
+                    cred = gssapi.creds.Credentials()
+                    principal = str(cred.name)
+                except gssapi.raw.misc.GSSError as e:
+                    root_logger.debug('Failed to find default ccache: %s' % e)
+                    # Use admin as the default principal
+                    principal = "admin"
+            else:
+                principal = options.principal
+
+            if cred is None:
                (krb_fd, krb_name) = tempfile.mkstemp()
                os.close(krb_fd)
                configure_krb5_conf(options.realm, options.kdc, krb_name)
                global KRB5_CONFIG
                KRB5_CONFIG = krb_name
+                (ccache_fd, ccache_name) = tempfile.mkstemp()
+                os.close(ccache_fd)
+                global CCACHE_FILE
+                CCACHE_FILE = ccache_name

-            print_info("Get credentials to log in to remote master")
-            if options.principal.find('@') == -1:
-                principal = '%s@%s' % (options.principal, options.realm)
-                user = options.principal
-            else:
-                principal = options.principal
-                user = options.principal.partition('@')[0]
+                if principal.find('@') == -1:
+                    principal = '%s@%s' % (principal, options.realm)

                if options.password:
                    password=options.password
@@ -391,6 +419,7 @@ def main():
                if returncode != 0:
                    raise RuntimeError("Could not get ticket for master server: %s" % stderr)

+            user = principal.partition('@')[0]
            ssh = SshExec(user, options.master)

            print_info("Check SSH connection to remote master")
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -64,7 +64,8 @@ STRIP_ATTRS = ('modifiersName',


 def replica_conn_check(master_host, host_name, realm, check_ca,
-                       dogtag_master_ds_port, admin_password=None):
+                       dogtag_master_ds_port, admin_password=None,
+                       principal="admin"):
    """
    Check the ports used by the replica both locally and remotely to be sure
    that replication will work.
@@ -74,10 +75,12 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
    print("Run connection check to master")
    args = [paths.IPA_REPLICA_CONNCHECK, "--master", master_host,
            "--auto-master-check", "--realm", realm,
-            "--principal", "admin",
            "--hostname", host_name]
    nolog=tuple()

+    if principal is not None:
+        args.extend(["--principal", principal])
+
    if admin_password:
        args.extend(["--password", admin_password])
        nolog=(admin_password,)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -821,6 +821,7 @@ def promote_check(installer):
    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)

    # Check if ccache is available
+    default_cred = None
    try:
        root_logger.debug('KRB5CCNAME set to %s' %
                          os.environ.get('KRB5CCNAME', None))
@@ -853,8 +854,8 @@ def promote_check(installer):
        stdin = None
        if principal.find('@') == -1:
            principal = '%s@%s' % (principal, config.realm_name)
-        if options.password is not None:
-            stdin = options.password
+        if options.admin_password is not None:
+            stdin = options.admin_password
        else:
            if not options.unattended:
                try:
@@ -876,6 +877,9 @@ def promote_check(installer):
                else:
                    stdin = sys.stdin.readline()

+            # set options.admin_password for future use
+            options.admin_password = stdin
+
        try:
            ipautil.kinit_password(principal, stdin, ccache_name)
        except RuntimeError as e:
@@ -1030,9 +1034,13 @@ def promote_check(installer):

    # check connection
    if not options.skip_conncheck:
+        p = None
+        if default_cred is None:
+            p = principal
        replica_conn_check(
            config.master_host_name, config.host_name, config.realm_name,
-            options.setup_ca, dogtag.Dogtag10Constants.DS_PORT)
+            options.setup_ca, dogtag.Dogtag10Constants.DS_PORT,
+            options.admin_password, principal=p)

    if not ipautil.file_exists(cafile):
        raise RuntimeError("CA cert file is not available.")