conncheck: Additional check to verify the admin password is ok

If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).

1 files changed, 9 insertions, 0 deletions

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index ac1817e5d..48ff336ff 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -323,6 +323,15 @@ def main():
             if returncode != 0:
                 raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
 
+            # Verify kinit was actually successful
+            stderr=''
+            (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno',
+                 'host/%s' % options.master],
+                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                 raiseonerr=False)
+            if returncode != 0:
+                raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
             remote_check_opts = ['--replica %s' % options.hostname]
             if options.check_ca:
                 remote_check_opts.append('--check-ca')