[Freeipa-devel] [freeipa PR#873][opened] kra: promote: Get ticket before attempting to get KRA keys with custodia

Wed, 14 Jun 2017 06:51:25 -0700 

   URL: https://github.com/freeipa/freeipa/pull/873
Author: dkupka
 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia
Action: opened

PR body:
"""
When installing second (or consequent) KRA instance keys are retrieved using
custodia. Custodia checks that the keys are synchronized in master's directory
server and the check uses GSSAPI and therefore fails if there's no ticket in
ccache.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/873/head:pr873
git checkout pr873

From 1540a1c243050445e72ad42a88cf0826fa0a9e49 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 14 Jun 2017 15:39:58 +0200
Subject: [PATCH] kra: promote: Get ticket before attempting to get KRA keys
 with custodia

When installing second (or consequent) KRA instance keys are retrieved using
custodia. Custodia checks that the keys are synchronized in master's directory
server and the check uses GSSAPI and therefore fails if there's no ticket in
ccache.
---
 ipaserver/install/kra.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index f345406128..3545b301a9 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -10,6 +10,7 @@
 import shutil
 
 from ipalib import api
+from ipalib.install.kinit import kinit_keytab
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import certdb
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
             return
         krafile = os.path.join(replica_config.dir, 'kracert.p12')
         if options.promote:
-            custodia = custodiainstance.CustodiaInstance(
-                replica_config.host_name,
-                replica_config.realm_name)
-            custodia.get_kra_keys(
-                replica_config.kra_host_name,
-                krafile,
-                replica_config.dirman_password)
+            with ipautil.private_ccache():
+                ccache = os.environ['KRB5CCNAME']
+                kinit_keytab(
+                    'host/{env.host}@{env.realm}'.format(env=api.env),
+                    paths.KRB5_KEYTAB,
+                    ccache)
+                custodia = custodiainstance.CustodiaInstance(
+                    replica_config.host_name,
+                    replica_config.realm_name)
+                custodia.get_kra_keys(
+                    replica_config.kra_host_name,
+                    krafile,
+                    replica_config.dirman_password)
         else:
             cafile = os.path.join(replica_config.dir, 'cacert.p12')
             if not ipautil.file_exists(cafile):

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to