From e40d6a2a53a931b4d2be3e45c84da99950e60a84 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 7 Nov 2016 12:09:28 +0100
Subject: [PATCH] Use host keytab to connect to remote server on DL0

Since host enrollment was implemented in DL0, use
the host keytab to connect to remote api and perform
certain actions to merge DL1 and DL0 replica install
workflows.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 26 +++++++++++++---------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index d0360e79b..853e8af4a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -821,6 +821,10 @@ def install_check(installer):
             broadcast_ip_address_warning(config.ips)
 
         enroll_dl0_replica(installer, fstore, remote_api)
+        ccache = os.environ['KRB5CCNAME']
+        ipautil.kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env),
+                             paths.KRB5_KEYTAB,
+                             ccache)
 
     except errors.ACIError:
         raise ScriptError("\nThe password provided is incorrect for LDAP server "
@@ -841,10 +845,14 @@ def install_check(installer):
 
     # check connection
     if not options.skip_conncheck:
-        replica_conn_check(
-            config.master_host_name, config.host_name, config.realm_name,
-            options.setup_ca, config.ca_ds_port, options.admin_password,
-            ca_cert_file=cafile)
+        try:
+            del os.environ['KRB5CCNAME']
+            replica_conn_check(
+                config.master_host_name, config.host_name, config.realm_name,
+                options.setup_ca, config.ca_ds_port, options.admin_password,
+                ca_cert_file=cafile)
+        finally:
+            os.environ['KRB5CCNAME'] = ccache
 
     installer._ca_enabled = ca_enabled
     installer._kra_enabled = kra_enabled
@@ -1337,9 +1345,9 @@ def install(installer):
 
     remote_api = installer._remote_api
     conn = remote_api.Backend.ldap2
+    ccache = os.environ['KRB5CCNAME']
 
     if promote:
-        ccache = os.environ['KRB5CCNAME']
         if installer._add_to_ipaservers:
             try:
                 conn.connect(ccache=installer._ccache)
@@ -1372,12 +1380,8 @@ def install(installer):
     http_instance.create_cert_db()
 
     try:
-        if promote:
-            conn.connect(ccache=ccache)
-        else:
-            conn.connect(bind_dn=ipaldap.DIRMAN_DN,
-                         bind_pw=config.dirman_password,
-                         tls_cacertfile=cafile)
+        conn.connect(ccache=ccache)
+        if not promote:
             # Install CA cert so that we can do SSL connections with ldap
             install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)