ca install: use host credentials in domain level 1

https://fedorahosted.org/freeipa/ticket/5399

Reviewed-By: Martin Basti <mbasti@redhat.com>

install/tools/ipa-ca-install

@@ -107,21 +107,19 @@ def get_dirman_password():
 
 
 def install_replica(safe_options, options, filename):
-    domain_level = dsinstance.get_domain_level(api)
+    if options.promote:
-    if domain_level > DOMAIN_LEVEL_0:
-        options.promote = True
         if filename is not None:
             sys.exit("Too many parameters provided. "
                      "No replica file is required")
     else:
-        options.promote = False
         if filename is None:
             sys.exit("A replica file is required")
         if not ipautil.file_exists(filename):
             sys.exit("Replica file %s does not exist" % filename)
 
-    # Check if we have admin creds already, otherwise acquire them
+    if not options.promote:
-    check_creds(options, api.env.realm)
+        # Check if we have admin creds already, otherwise acquire them
+        check_creds(options, api.env.realm)
 
     # get the directory manager password
     dirman_password = options.password
@@ -135,8 +133,8 @@ def install_replica(safe_options, options, filename):
         if dirman_password is None:
             sys.exit("Directory Manager password required")
 
-    if not options.admin_password and not options.skip_conncheck and \
+    if (not options.promote and not options.admin_password and
-            options.unattended:
+            not options.skip_conncheck and options.unattended):
         sys.exit('admin password required')
 
     if options.promote:
@@ -229,6 +227,46 @@ def install_master(safe_options, options):
     ca.install(True, None, options)
 
 
+def install(safe_options, options, filename):
+    options.promote = False
+
+    try:
+        if filename is None:
+            install_master(safe_options, options)
+        else:
+            install_replica(safe_options, options, filename)
+
+    finally:
+        # Clean up if we created custom credentials
+        created_ccache_file = getattr(options, 'created_ccache_file', None)
+        if created_ccache_file is not None:
+            try:
+                os.unlink(created_ccache_file)
+            except OSError:
+                pass
+
+
+def promote(safe_options, options, filename):
+    options.promote = True
+
+    with ipautil.private_ccache():
+        ccache = os.environ['KRB5CCNAME']
+
+        ipautil.kinit_keytab(
+            'host/{env.host}@{env.realm}'.format(env=api.env),
+            paths.KRB5_KEYTAB,
+            ccache)
+
+        conn = api.Backend.ldap2
+        conn.connect(ccache=ccache)
+        ca_host = service.find_providing_server('CA', conn)
+        conn.disconnect()
+        if ca_host is None:
+            install_master(safe_options, options)
+        else:
+            install_replica(safe_options, options, filename)
+
+
 def main():
     safe_options, options, filename = parse_options()
 
@@ -251,24 +289,12 @@ def main():
     api.bootstrap(in_server=True, ra_plugin='dogtag')
     api.finalize()
 
-    try:
+    domain_level = dsinstance.get_domain_level(api)
-        conn = api.Backend.ldap2
+    if domain_level > DOMAIN_LEVEL_0:
-        conn.connect(autobind=True)
+        promote(safe_options, options, filename)
-        ca_host = service.find_providing_server('CA', conn)
+    else:
-        conn.disconnect()
+        install(safe_options, options, filename)
-        if ca_host is None:
-            install_master(safe_options, options)
-        else:
-            install_replica(safe_options, options, filename)
 
-    finally:
-        # Clean up if we created custom credentials
-        created_ccache_file = getattr(options, 'created_ccache_file', None)
-        if created_ccache_file is not None:
-            try:
-                os.unlink(created_ccache_file)
-            except OSError:
-                pass
 
 fail_message = '''
 Your system may be partly configured.