Hello,

Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required.


The fact is that should rpcclient connection fail for some other reason and the control would fall back to SSH, this will still be broken and needs fixing. I will create a ticket for that.

Standa

From 66e49904f7901fbfebcbd1a8b9f397667e89c60b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 22 Jun 2016 16:08:49 +0200
Subject: [PATCH] Fix to ipa-ca-install asking for host principal password

The nss_db variable didn't go through the proper initialization

https://fedorahosted.org/freeipa/ticket/5965
---
 install/tools/ipa-replica-conncheck | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 991f4e429dd1df7036b4a1c0175ca5daaea521ad..e308b118f20306107bc62eba2a60187fbc52f4fc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -462,10 +462,6 @@ def main():
                     nss_dir = paths.IPA_NSSDB_DIR
 
                 with certdb.NSSDatabase(nss_dir) as nss_db:
-                    api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
-                                  nss_dir=nss_db.secdir)
-                    api.finalize()
-
                     if options.ca_cert_file:
                         nss_dir = nss_db.secdir
 
@@ -483,6 +479,9 @@ def main():
                     else:
                         nss_dir = None
 
+                    api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
+                                  nss_dir=nss_db.secdir)
+                    api.finalize()
                     try:
                         api.Backend.rpcclient.connect()
                         api.Command.ping()
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to