Implement replica promotion functionality

This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-06-11 15:45:38 -04:00
parent 2cd0d20a2a
commit d03619fff3
14 changed files with 860 additions and 58 deletions
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -47,12 +47,14 @@ from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger, log_mgr
 from ipalib.util import validate_hostname
 from ipapython import config
-from ipalib import errors, x509
+from ipalib import api, errors, x509
 from ipapython.dn import DN
 from ipaserver.install import certs, service, sysupgrade
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
+from ipapython import certmonger
+

 if six.PY3:
    unicode = str
@@ -1115,3 +1117,28 @@ def enable_and_start_oddjobd(sstore):
        oddjobd.start()
    except Exception as e:
        root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+
+
+def install_service_keytab(principal, server, path):
+
+    try:
+        api.Backend.rpcclient.connect()
+
+        # Create services if none exists (we use the .forward method
+        # here so that we can control the client version number and avoid
+        # errors. This is a workaround until the API becomes version
+        # independent: FIXME
+
+        api.Backend.rpcclient.forward(
+            'service_add',
+            krbprincipalname=principal,
+            version=u'2.112'    # All the way back to 3.0 servers
+        )
+    except errors.DuplicateEntry:
+        pass
+    finally:
+        if api.Backend.rpcclient.isconnected():
+            api.Backend.rpcclient.disconnect()
+
+    args = [paths.IPA_GETKEYTAB, '-k', path, '-p', principal, '-s', server]
+    ipautil.run(args)