Use host keytab to connect to remote server on DL0

Since host enrollment was implemented in DL0, use the host keytab to connect to remote api and perform certain actions to merge DL1 and DL0 replica install workflows. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-07 12:09:28 +01:00 · 2016-11-07 12:09:28 +01:00 · e40d6a2a53
commit e40d6a2a53
parent 2de43e7aca
1 changed files with 15 additions and 11 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -821,6 +821,10 @@ def install_check(installer):
            broadcast_ip_address_warning(config.ips)

        enroll_dl0_replica(installer, fstore, remote_api)
+        ccache = os.environ['KRB5CCNAME']
+        ipautil.kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env),
+                             paths.KRB5_KEYTAB,
+                             ccache)

    except errors.ACIError:
        raise ScriptError("\nThe password provided is incorrect for LDAP server "
@ -841,10 +845,14 @@ def install_check(installer):

    # check connection
    if not options.skip_conncheck:
-        replica_conn_check(
-            config.master_host_name, config.host_name, config.realm_name,
-            options.setup_ca, config.ca_ds_port, options.admin_password,
-            ca_cert_file=cafile)
+        try:
+            del os.environ['KRB5CCNAME']
+            replica_conn_check(
+                config.master_host_name, config.host_name, config.realm_name,
+                options.setup_ca, config.ca_ds_port, options.admin_password,
+                ca_cert_file=cafile)
+        finally:
+            os.environ['KRB5CCNAME'] = ccache

    installer._ca_enabled = ca_enabled
    installer._kra_enabled = kra_enabled
@ -1337,9 +1345,9 @@ def install(installer):

    remote_api = installer._remote_api
    conn = remote_api.Backend.ldap2
+    ccache = os.environ['KRB5CCNAME']

    if promote:
-        ccache = os.environ['KRB5CCNAME']
        if installer._add_to_ipaservers:
            try:
                conn.connect(ccache=installer._ccache)
@ -1372,12 +1380,8 @@ def install(installer):
    http_instance.create_cert_db()

    try:
-        if promote:
-            conn.connect(ccache=ccache)
-        else:
-            conn.connect(bind_dn=ipaldap.DIRMAN_DN,
-                         bind_pw=config.dirman_password,
-                         tls_cacertfile=cafile)
+        conn.connect(ccache=ccache)
+        if not promote:
            # Install CA cert so that we can do SSL connections with ldap
            install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)