Hi,

the attached patches fix <https://fedorahosted.org/freeipa/ticket/5497>.

Honza

--
Jan Cholasta
From 142fd5364cf9d31d7e2c35959516ac8d9054c9da Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 9 Dec 2015 08:17:07 +0100
Subject: [PATCH 1/3] build: put oddjob scripts into separate directory

https://fedorahosted.org/freeipa/ticket/5497
---
 freeipa.spec.in                                          | 3 ++-
 install/oddjob/Makefile.am                               | 2 +-
 install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b6..95948e7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -740,6 +740,7 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%dir %{_libexecdir}/ipa/oddjob
 %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
@@ -914,7 +915,7 @@ fi
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
 %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
-%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
+%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
 
 %endif # ONLY_CLIENT
 
diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am
index 9dde10c..5cdaf2b 100644
--- a/install/oddjob/Makefile.am
+++ b/install/oddjob/Makefile.am
@@ -1,6 +1,6 @@
 NULL =
 
-oddjobdir = $(libexecdir)/ipa
+oddjobdir = $(libexecdir)/ipa/oddjob
 oddjobconfdir = $(sysconfdir)/oddjobd.conf.d
 dbusconfdir = $(sysconfdir)/dbus-1/system.d
 
diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
index 17817de..bc2e8d1 100644
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -10,7 +10,7 @@
       </interface>
       <interface name="com.redhat.idm.trust">
         <method name="fetch_domains">
-          <helper exec="/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains"
+          <helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
 		  arguments="1"
                   argument_passing_method="cmdline"
 		  prepend_user_name="no"/>
-- 
2.4.3

From 5710e614808df26f34baec476434af6afb3a8ddb Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 9 Dec 2015 08:18:21 +0100
Subject: [PATCH 2/3] replica install: add remote connection check over API

Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.

https://fedorahosted.org/freeipa/ticket/5497
---
 API.txt                                            |   8 ++
 VERSION                                            |   4 +-
 freeipa.spec.in                                    |   9 +-
 install/oddjob/Makefile.am                         |   3 +
 .../etc/dbus-1/system.d/org.freeipa.server.conf    |  21 ++++
 install/oddjob/etc/oddjobd.conf.d/ipa-server.conf  |  20 ++++
 install/oddjob/org.freeipa.server.conncheck        |   2 +
 install/tools/ipa-ca-install                       |   6 +
 install/tools/ipa-replica-conncheck                | 131 ++++++++++++++++++---
 install/updates/90-post_upgrade_plugins.update     |   1 -
 ipalib/errors.py                                   |   1 +
 ipalib/messages.py                                 |  10 ++
 ipalib/plugins/server.py                           |  70 ++++++++++-
 ipaserver/install/adtrustinstance.py               |  19 ---
 ipaserver/install/ca.py                            |   2 +-
 ipaserver/install/httpinstance.py                  |  26 ++++
 ipaserver/install/installutils.py                  |  12 --
 ipaserver/install/plugins/adtrust.py               |  21 ----
 ipaserver/install/replication.py                   |   6 +-
 ipaserver/install/server/replicainstall.py         |   5 +-
 ipaserver/install/server/upgrade.py                |   1 +
 21 files changed, 300 insertions(+), 78 deletions(-)
 create mode 100644 install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
 create mode 100644 install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
 create mode 100755 install/oddjob/org.freeipa.server.conncheck

diff --git a/API.txt b/API.txt
index 60c98c3..15be32c 100644
--- a/API.txt
+++ b/API.txt
@@ -3812,6 +3812,14 @@ option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
+command: server_conncheck
+args: 2,1,3
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
+arg: Str('remote_cn', cli_name='remote_name')
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'bool'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
 command: server_del
 args: 1,2,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True)
diff --git a/VERSION b/VERSION
index b7f261b..df12ec0 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=161
-# Last change: pvoborni - topologysuffix: change iparepltopomanagedsuffix type
+IPA_API_VERSION_MINOR=162
+# Last change: jcholast - replica install: add remote connection check over API
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 95948e7..5406ad2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -165,6 +165,7 @@ Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: python-gssapi >= 1.1.0
 Requires: custodia
+Requires: oddjob
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -229,7 +230,6 @@ Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
 Requires: python-libsss_nss_idmap
-Requires: oddjob
 Requires: python-sss
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
@@ -593,6 +593,8 @@ if [ $1 = 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl --quiet stop ipa.service || :
     /bin/systemctl --quiet disable ipa.service || :
+    /bin/systemctl reload-or-try-restart dbus
+    /bin/systemctl reload-or-try-restart oddjobd
 # END
 fi
 
@@ -604,6 +606,8 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
     /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
 # END
 fi
+/bin/systemctl reload-or-try-restart dbus
+/bin/systemctl reload-or-try-restart oddjobd
 
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
@@ -741,12 +745,15 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %{_libexecdir}/ipa/oddjob
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
+%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am
index 5cdaf2b..fb64f6c 100644
--- a/install/oddjob/Makefile.am
+++ b/install/oddjob/Makefile.am
@@ -6,14 +6,17 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
 
 oddjob_SCRIPTS =				\
 	com.redhat.idm.trust-fetch-domains	\
+	org.freeipa.server.conncheck		\
 	$(NULL)
 
 dbusconf_DATA =						\
 	etc/dbus-1/system.d/oddjob-ipa-trust.conf	\
+	etc/dbus-1/system.d/org.freeipa.server.conf	\
 	$(NULL)
 
 oddjobconf_DATA =					\
 	etc/oddjobd.conf.d/oddjobd-ipa-trust.conf	\
+	etc/oddjobd.conf.d/ipa-server.conf		\
 	$(NULL)
 
 
diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
new file mode 100644
index 0000000..b2cbf74
--- /dev/null
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -0,0 +1,21 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
+
+<busconfig>
+
+  <policy user="root">
+    <allow own="org.freeipa.server"/>
+
+    <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
+  </policy>
+
+  <policy user="apache">
+    <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
+  </policy>
+
+  <policy context="default">
+    <allow send_destination="org.freeipa.server" send_interface="org.freedesktop.DBus.Introspectable"/>
+  </policy>
+
+</busconfig>
diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
new file mode 100644
index 0000000..3f80696
--- /dev/null
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<oddjobconfig>
+  <service name="org.freeipa.server">
+    <allow user="root"/>
+    <allow user="apache"/>
+    <object name="/">
+      <interface name="org.freeipa.server">
+        <method name="conncheck">
+          <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
+                  arguments="1"
+                  prepend_user_name="no"
+                  argument_passing_method="cmdline"/>
+        </method>
+      </interface>
+      <interface name="org.freedesktop.DBus.Introspectable">
+        <allow min_uid="0" max_uid="0"/>
+      </interface>
+    </object>
+  </service>
+</oddjobconfig>
diff --git a/install/oddjob/org.freeipa.server.conncheck b/install/oddjob/org.freeipa.server.conncheck
new file mode 100755
index 0000000..ab7a46a
--- /dev/null
+++ b/install/oddjob/org.freeipa.server.conncheck
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/sbin/ipa-replica-conncheck --replica "$1" 2>&1
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index b1d58f7..0b8f28c 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -149,8 +149,10 @@ def install_replica(safe_options, options, filename):
         config.ca_ds_port = 389
         config.top_dir = tempfile.mkdtemp("ipa")
         config.dir = config.top_dir
+        cafile = paths.IPA_CA_CRT
     else:
         config = create_replica_config(dirman_password, filename, options)
+        cafile = config.dir + '/ca.crt'
 
     global REPLICA_INFO_TOP_DIR
     REPLICA_INFO_TOP_DIR = config.top_dir
@@ -176,6 +178,10 @@ def install_replica(safe_options, options, filename):
     options.dm_password = config.dirman_password
     options.host_name = config.host_name
     options.subject = config.subject_base
+    if os.path.exists(cafile):
+        options.ca_cert_file = cafile
+    else:
+        options.ca_cert_file = None
 
     ca.install_check(True, config, options)
     if options.promote:
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index a67837c..10e3437 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -22,11 +22,12 @@ from __future__ import print_function
 
 from ipapython.config import IPAOptionParser
 from ipapython import version
-from ipapython import ipautil
+from ipapython import ipautil, certdb
 from ipapython.ipautil import CalledProcessError
+from ipalib import api, errors, x509
 from ipaserver.install import installutils
 import ipaclient.ipachangeconf
-from optparse import OptionGroup
+from optparse import OptionGroup, OptionValueError
 from ipapython.ipa_log_manager import *
 import sys
 import os
@@ -40,6 +41,7 @@ from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
 import gssapi
+from nss import nss
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
@@ -106,6 +108,30 @@ def print_info(msg):
         print(msg)
 
 def parse_options():
+    def ca_cert_file_callback(option, opt, value, parser):
+        if not os.path.exists(value):
+            raise OptionValueError(
+                "%s option '%s' does not exist" % (opt, value))
+        if not os.path.isfile(value):
+            raise OptionValueError(
+                "%s option '%s' is not a file" % (opt, value))
+        if not os.path.isabs(value):
+            raise OptionValueError(
+                "%s option '%s' is not an absolute file path" % (opt, value))
+
+        initialized = nss.nss_is_initialized()
+        try:
+            x509.load_certificate_list_from_file(value)
+        except Exception:
+            raise OptionValueError(
+                "%s option '%s' is not a valid certificate file" %
+                (opt, value))
+        finally:
+            if not initialized:
+                nss.nss_shutdown()
+
+        parser.values.ca_cert_file = value
+
     parser = IPAOptionParser(version=version.VERSION)
 
     replica_group = OptionGroup(parser, "on-replica options")
@@ -123,6 +149,10 @@ def parse_options():
                       default=None, help="Principal to use to log in to remote master")
     replica_group.add_option("-w", "--password", dest="password", sensitive=True,
                       help="Password for the principal"),
+    replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
+                             type="string", action="callback",
+                             callback=ca_cert_file_callback,
+                             help="load the CA certificate from this file")
     parser.add_option_group(replica_group)
 
 
@@ -418,22 +448,89 @@ def main():
                 if returncode != 0:
                     raise RuntimeError("Could not get ticket for master server: %s" % stderr)
 
-            user = principal.partition('@')[0]
-            ssh = SshExec(user, options.master)
+            try:
+                print_info("Check RPC connection to remote master")
+
+                xmlrpc_uri = ('https://%s/ipa/xml' %
+                              ipautil.format_netloc(options.master))
+                api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri)
+                api.finalize()
 
-            print_info("Check SSH connection to remote master")
-            stdout, stderr, returncode = ssh('echo OK', verbose=True)
-            if returncode != 0:
-                print('Could not SSH into remote host. Error output:')
-                for line in stderr.splitlines():
-                    print('    %s' % line)
-                raise RuntimeError('Could not SSH to remote host.')
-
-            print_info("Execute check on remote master")
-            stdout, stderr, returncode = ssh(
-                "/usr/sbin/ipa-replica-conncheck " +
-                    " ".join(remote_check_opts))
-            print_info(stdout)
+                if options.ca_cert_file:
+                    nss_dir = None
+                else:
+                    nss_dir = paths.IPA_NSSDB_DIR
+
+                with certdb.NSSDatabase(nss_dir) as nss_db:
+                    if options.ca_cert_file:
+                        nss_dir = nss_db.secdir
+
+                        password = ipautil.ipa_generate_password()
+                        password_file = ipautil.write_tmp_file(password)
+                        nss_db.create_db(password_file.name)
+
+                        ca_certs = x509.load_certificate_list_from_file(
+                            options.ca_cert_file, dbdir=nss_db.secdir)
+                        for ca_cert in ca_certs:
+                            nss_db.add_cert(
+                                ca_cert.der_data, str(ca_cert.subject), 'C,,')
+                            del ca_cert
+                        del ca_certs
+                    else:
+                        nss_dir = None
+
+                    try:
+                        api.Backend.rpcclient.connect(nss_dir=nss_dir)
+                        api.Command.ping()
+                    except Exception as e:
+                        print_info(
+                            "Could not connect to the remote host: %s" % e)
+                        raise
+
+                    print_info("Execute check on remote master")
+                    try:
+                        result = api.Backend.rpcclient.forward(
+                            'server_conncheck',
+                            ipautil.fsdecode(options.master),
+                            ipautil.fsdecode(options.hostname),
+                            version=u'2.162',
+                        )
+                    except (errors.CommandError, errors.NetworkError) as e:
+                        print_info(
+                            "Remote master does not support check over RPC: "
+                            "%s" % e)
+                        raise
+                    except errors.PublicError as e:
+                        returncode = 1
+                        stderr = e
+                    else:
+                        for message in result['messages']:
+                            print_info(message['message'])
+                        returncode = int(not result['result'])
+                        stderr = ("ipa-replica-conncheck returned non-zero "
+                                  "exit code")
+                    finally:
+                        if api.Backend.rpcclient.isconnected():
+                            api.Backend.rpcclient.disconnect()
+            except Exception:
+                print_info("Retrying using SSH...")
+
+                user = principal.partition('@')[0]
+                ssh = SshExec(user, options.master)
+
+                print_info("Check SSH connection to remote master")
+                stdout, stderr, returncode = ssh('echo OK', verbose=True)
+                if returncode != 0:
+                    print('Could not SSH into remote host. Error output:')
+                    for line in stderr.splitlines():
+                        print('    %s' % line)
+                    raise RuntimeError('Could not SSH to remote host.')
+
+                print_info("Execute check on remote master")
+                stdout, stderr, returncode = ssh(
+                    "/usr/sbin/ipa-replica-conncheck " +
+                        " ".join(remote_check_opts))
+                print_info(stdout)
             if returncode != 0:
                 raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
         else:
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 2089b33..626255a 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -19,4 +19,3 @@ plugin: update_managed_post
 plugin: update_managed_permissions
 plugin: update_idrange_baserid
 plugin: update_passync_privilege_update
-plugin: update_oddjobd_for_adtrust
diff --git a/ipalib/errors.py b/ipalib/errors.py
index b82d199..0fa540b 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1372,6 +1372,7 @@ class InvalidDomainLevelError(ExecutionError):
     errno = 4032
     format = _('%(reason)s')
 
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 44fee6d..078e13f 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -321,6 +321,16 @@ class CommandDeprecatedWarning(PublicMessage):
     format = _(u"'%(command)s' is deprecated. %(additional_info)s")
 
 
+class ExternalCommandOutput(PublicMessage):
+    """
+    **13016** Line of output from an external command.
+    """
+
+    errno = 13016
+    type = "info"
+    format = _("%(line)s")
+
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """
diff --git a/ipalib/plugins/server.py b/ipalib/plugins/server.py
index 8284a58..6286c59 100644
--- a/ipalib/plugins/server.py
+++ b/ipalib/plugins/server.py
@@ -5,11 +5,15 @@
 import string
 import os
 
-from ipalib import api
+import dbus
+import dbus.mainloop.glib
+
+from ipalib import api, crud, errors, messages
 from ipalib import Int, Str
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib.plugins import baseldap
+from ipalib.request import context
 from ipalib import _, ngettext
 
 __doc__ = _("""
@@ -188,3 +192,67 @@ class server_del(LDAPDelete):
     __doc__ = _('Delete IPA server.')
     NO_CLI = True
     msg_summary = _('Deleted IPA server "%(value)s"')
+
+
+@register()
+class server_conncheck(crud.PKQuery):
+    __doc__ = _("Check connection to remote IPA server.")
+
+    NO_CLI = True
+
+    takes_args = (
+        Str(
+            'remote_cn',
+            cli_name='remote_name',
+            label=_('Remote server name'),
+            doc=_('Remote IPA server hostname'),
+        ),
+    )
+
+    has_output = output.standard_value
+
+    def execute(self, *keys, **options):
+        # the server must be the local host
+        if keys[-2] != api.env.host:
+            raise errors.ValidationError(
+                name='cn', error=_("must be \"%s\"") % api.env.host)
+
+        # the server entry must exist
+        try:
+            self.obj.get_dn_if_exists(*keys[:-1])
+        except errors.NotFound:
+            self.obj.handle_not_found(keys[-2])
+
+        # the user must have the Replication Administrators privilege
+        privilege = u'Replication Administrators'
+        privilege_dn = self.api.Object.privilege.get_dn(privilege)
+        ldap = self.obj.backend
+        filter = ldap.make_filter(
+            {'krbprincipalname': context.principal, 'memberof': privilege_dn},
+            rules=ldap.MATCH_ALL)
+        try:
+            ldap.find_entries(base_dn=self.api.env.basedn, filter=filter)
+        except errors.NotFound:
+            raise errors.ACIError(
+                info=_("not allowed to perform server connection check"))
+
+        dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+
+        bus = dbus.SystemBus()
+        obj = bus.get_object('org.freeipa.server', '/',
+                             follow_name_owner_changes=True)
+        server = dbus.Interface(obj, 'org.freeipa.server')
+
+        ret, stdout, stderr = server.conncheck(keys[-1])
+
+        result = dict(
+            result=(ret == 0),
+            value=keys[-2],
+        )
+
+        for line in stdout.splitlines():
+            messages.add_message(options['version'],
+                                 result,
+                                 messages.ExternalCommandOutput(line=line))
+
+        return result
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 813d48e..118f848 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -726,9 +726,6 @@ class ADTRUSTInstance(service.Service):
         except Exception as e:
             root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
 
-    def  __enable_and_start_oddjobd(self):
-        installutils.enable_and_start_oddjobd(self.sstore)
-
     def __start(self):
         try:
             self.start()
@@ -881,7 +878,6 @@ class ADTRUSTInstance(service.Service):
         self.step("adding Default Trust View", self.__add_default_trust_view)
         self.step("setting SELinux booleans", \
                   self.__configure_selinux_for_smbd)
-        self.step("enabling oddjobd", self.__enable_and_start_oddjobd)
         self.step("starting CIFS services", self.__start)
 
         if self.add_sids:
@@ -911,21 +907,6 @@ class ADTRUSTInstance(service.Service):
         except Exception:
             pass
 
-        # Restore oddjobd to its original state
-        oddjobd = services.service('oddjobd')
-
-        if not self.sstore.restore_state('oddjobd', 'running'):
-            try:
-                oddjobd.stop()
-            except Exception:
-                pass
-
-        if not self.sstore.restore_state('oddjobd', 'enabled'):
-            try:
-                oddjobd.disable()
-            except Exception:
-                pass
-
         # Since we do not guarantee restoring back to working samba state,
         # we should not restore smb.conf
 
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 1a51ebc..36a7d57 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -40,7 +40,7 @@ def install_check(standalone, replica_config, options):
             replica_conn_check(
                 replica_config.master_host_name, host_name, realm_name, True,
                 replica_config.ca_ds_port, options.admin_password,
-                principal=principal)
+                principal=principal, ca_cert_file=options.ca_cert_file)
 
         if options.skip_schema_check or options.promote:
             root_logger.info("Skipping CA DS schema check")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 1b68573..b51cc4a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -163,6 +163,7 @@ class HTTPInstance(service.Service):
             self.step("enable KDC proxy", self.enable_kdcproxy)
         self.step("restarting httpd", self.__start)
         self.step("configuring httpd to start on boot", self.__enable)
+        self.step("enabling oddjobd", self.enable_and_start_oddjobd)
 
         self.start_creation(runtime=60)
 
@@ -441,6 +442,17 @@ class HTTPInstance(service.Service):
             f.write(http_txt)
         os.chmod(target_fname, 0o644)
 
+    def enable_and_start_oddjobd(self):
+        oddjobd = services.service('oddjobd')
+        self.sstore.backup_state('oddjobd', 'running', oddjobd.is_running())
+        self.sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled())
+
+        try:
+            oddjobd.enable()
+            oddjobd.start()
+        except Exception as e:
+            root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+
     def uninstall(self):
         if self.is_configured():
             self.print_msg("Unconfiguring web server")
@@ -448,6 +460,20 @@ class HTTPInstance(service.Service):
         running = self.restore_state("running")
         enabled = self.restore_state("enabled")
 
+        # Restore oddjobd to its original state
+        oddjobd = services.service('oddjobd')
+
+        if not self.sstore.restore_state('oddjobd', 'running'):
+            try:
+                oddjobd.stop()
+            except Exception:
+                pass
+
+        if not self.sstore.restore_state('oddjobd', 'enabled'):
+            try:
+                oddjobd.disable()
+            except Exception:
+                pass
 
         self.stop_tracking_certificates()
 
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 156c8a5..bdbe2e3 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1103,18 +1103,6 @@ def realm_to_ldapi_uri(realm_name):
     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
 
 
-def enable_and_start_oddjobd(sstore):
-    oddjobd = services.service('oddjobd')
-    sstore.backup_state('oddjobd', 'running', oddjobd.is_running())
-    sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled())
-
-    try:
-        oddjobd.enable()
-        oddjobd.start()
-    except Exception as e:
-        root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
-
-
 def install_service_keytab(principal, server, path, force_service_add=False):
 
     try:
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 45bcc5f..5510dfd 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -164,26 +164,5 @@ class update_default_trust_view(Updater):
 
         return False, [update]
 
-
-class update_oddjobd_for_adtrust(Updater):
-    """
-    Enables and starts oddjobd daemon if ipa-adtrust-install has been run
-    on this system.
-    """
-
-    def execute(self, **options):
-        adtrust_is_enabled = self.api.Command['adtrust_is_enabled']()['result']
-
-        if adtrust_is_enabled:
-            self.log.debug('Try to enable and start oddjobd')
-            sstore = sysrestore.StateFile(paths.SYSRESTORE)
-            installutils.enable_and_start_oddjobd(sstore)
-        else:
-            self.log.debug('ADTrust not configured on this server, do not '
-                           'start and enable oddjobd')
-
-        return False, []
-
 api.register(update_default_range)
 api.register(update_default_trust_view)
-api.register(update_oddjobd_for_adtrust)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index aaa841c..ee1b507 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -67,7 +67,7 @@ STRIP_ATTRS = ('modifiersName',
 
 def replica_conn_check(master_host, host_name, realm, check_ca,
                        dogtag_master_ds_port, admin_password=None,
-                       principal="admin"):
+                       principal="admin", ca_cert_file=None):
     """
     Check the ports used by the replica both locally and remotely to be sure
     that replication will work.
@@ -89,6 +89,10 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
 
     if check_ca and dogtag_master_ds_port == 7389:
         args.append('--check-ca')
+
+    if ca_cert_file:
+        args.extend(["--ca-cert-file", ca_cert_file])
+
     (stdin, stderr, returncode) = ipautil.run(
         args, raiseonerr=False, capture_output=False, nolog=nolog)
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4554166..a0bfcb2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -636,7 +636,8 @@ def install_check(installer):
     if not options.skip_conncheck:
         replica_conn_check(
             config.master_host_name, config.host_name, config.realm_name,
-            options.setup_ca, config.ca_ds_port, options.admin_password)
+            options.setup_ca, config.ca_ds_port, options.admin_password,
+            ca_cert_file=cafile)
 
     installer._remote_api = remote_api
     installer._fstore = fstore
@@ -1152,7 +1153,7 @@ def promote_check(installer):
             replica_conn_check(
                 config.master_host_name, config.host_name, config.realm_name,
                 options.setup_ca, 389,
-                options.admin_password, principal=options.principal)
+                ca_cert_file=cafile)
         finally:
             os.environ['KRB5CCNAME'] = ccache
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e193b85..8ac2355 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1478,6 +1478,7 @@ def upgrade_configuration():
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
     http.configure_certmonger_renewal_guard()
+    http.enable_and_start_oddjobd()
 
     ds.configure_dirsrv_ccache()
 
-- 
2.4.3

From d8f76c59381795fda940112f485a051aafc1eb9d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 9 Dec 2015 09:25:13 +0100
Subject: [PATCH 3/3] replica promotion: use host credentials for connection
 check

https://fedorahosted.org/freeipa/ticket/5497
---
 ipaserver/install/server/replicainstall.py | 29 +++++------------------------
 1 file changed, 5 insertions(+), 24 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a0bfcb2..d21c7ed 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -936,18 +936,6 @@ def promote_check(installer):
                          paths.KRB5_KEYTAB,
                          ccache)
 
-    if not options.skip_conncheck:
-        if installer._ccache is None:
-            del os.environ['KRB5CCNAME']
-        else:
-            os.environ['KRB5CCNAME'] = installer._ccache
-
-        try:
-            installutils.check_creds(options, config.realm_name)
-            installer._ccache = os.environ.get('KRB5CCNAME')
-        finally:
-            os.environ['KRB5CCNAME'] = ccache
-
     cafile = paths.IPA_CA_CRT
     if not ipautil.file_exists(cafile):
         raise RuntimeError("CA cert file is not available! Please reinstall"
@@ -1144,18 +1132,11 @@ def promote_check(installer):
 
     # check connection
     if not options.skip_conncheck:
-        if installer._ccache is None:
-            del os.environ['KRB5CCNAME']
-        else:
-            os.environ['KRB5CCNAME'] = installer._ccache
-
-        try:
-            replica_conn_check(
-                config.master_host_name, config.host_name, config.realm_name,
-                options.setup_ca, 389,
-                ca_cert_file=cafile)
-        finally:
-            os.environ['KRB5CCNAME'] = ccache
+        replica_conn_check(
+            config.master_host_name, config.host_name, config.realm_name,
+            options.setup_ca, 389,
+            options.admin_password, principal=options.principal,
+            ca_cert_file=cafile)
 
     if not ipautil.file_exists(cafile):
         raise RuntimeError("CA cert file is not available.")
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to