From 3963687cde0552732259afa6fcf1393f56753423 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 31 Aug 2011 14:13:32 -0400
Subject: conncheck: Additional check to verify the admin password is ok

If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).
---
 install/tools/ipa-replica-conncheck | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index ac1817e5d..48ff336ff 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -323,6 +323,15 @@ def main():
             if returncode != 0:
                 raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
 
+            # Verify kinit was actually successful
+            stderr=''
+            (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno',
+                 'host/%s' % options.master],
+                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                 raiseonerr=False)
+            if returncode != 0:
+                raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
             remote_check_opts = ['--replica %s' % options.hostname]
             if options.check_ca:
                 remote_check_opts.append('--check-ca')
-- 
cgit