On 06/23/2016 08:09 AM, Jan Cholasta wrote:
On 22.6.2016 16:22, Stanislav Laznicka wrote:
Hello,

Please see the patch attached that fixes the issue from
https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a
while to create as I thought something was wrong with the SshExec class
which actually was where the password was required.

"The nss_db variable didn't go through the proper initialization"

You are going to have to be more specific, because the variable is properly initialized right here:

                with certdb.NSSDatabase(nss_dir) as nss_db:

And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase():

    def __init__(self, nssdir=None):
        if nssdir is None:
            self.secdir = tempfile.mkdtemp()
            self._is_temporary = True
        else:
            self.secdir = nssdir
            self._is_temporary = False

You're right, the commit message was rather generic. Hopefully this new one will be better.

From 010b809a0e940dc25af9f531b60b5b72d1a48b79 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 22 Jun 2016 16:08:49 +0200
Subject: [PATCH] Fix to ipa-ca-install asking for host principal password

With a ca_cert_file specified in options, the nss_db was used before the
certificates from the file were added to it, which caused an exception
that led to fallback to ssh which is broken.

https://fedorahosted.org/freeipa/ticket/5965
---
 install/tools/ipa-replica-conncheck | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 991f4e429dd1df7036b4a1c0175ca5daaea521ad..e308b118f20306107bc62eba2a60187fbc52f4fc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -462,10 +462,6 @@ def main():
                     nss_dir = paths.IPA_NSSDB_DIR
 
                 with certdb.NSSDatabase(nss_dir) as nss_db:
-                    api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
-                                  nss_dir=nss_db.secdir)
-                    api.finalize()
-
                     if options.ca_cert_file:
                         nss_dir = nss_db.secdir
 
@@ -483,6 +479,9 @@ def main():
                     else:
                         nss_dir = None
 
+                    api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
+                                  nss_dir=nss_db.secdir)
+                    api.finalize()
                     try:
                         api.Backend.rpcclient.connect()
                         api.Command.ping()
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to