URL: https://github.com/freeipa/freeipa/pull/873 Author: dkupka Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia Action: opened
PR body: """ When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/873/head:pr873 git checkout pr873
From 1540a1c243050445e72ad42a88cf0826fa0a9e49 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 14 Jun 2017 15:39:58 +0200 Subject: [PATCH] kra: promote: Get ticket before attempting to get KRA keys with custodia When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. --- ipaserver/install/kra.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index f345406128..3545b301a9 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -10,6 +10,7 @@ import shutil from ipalib import api +from ipalib.install.kinit import kinit_keytab from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb @@ -84,13 +85,19 @@ def install(api, replica_config, options): return krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: - custodia = custodiainstance.CustodiaInstance( - replica_config.host_name, - replica_config.realm_name) - custodia.get_kra_keys( - replica_config.kra_host_name, - krafile, - replica_config.dirman_password) + with ipautil.private_ccache(): + ccache = os.environ['KRB5CCNAME'] + kinit_keytab( + 'host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) + custodia = custodiainstance.CustodiaInstance( + replica_config.host_name, + replica_config.realm_name) + custodia.get_kra_keys( + replica_config.kra_host_name, + krafile, + replica_config.dirman_password) else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if not ipautil.file_exists(cafile):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org