2 files changed, 25 insertions, 1 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index ee8e5831..7b057a98 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -42,6 +42,8 @@ try:
     from ipalib import api, errors
     from ipapython.dn import DN
     from ipapython.ssh import SSHPublicKey
+    from ipapython import kernel_keyring
+    from ipalib.rpc import COOKIE_NAME
     import SSSDConfig
     from ConfigParser import RawConfigParser
     from optparse import SUPPRESS_HELP, OptionGroup
@@ -1666,13 +1668,14 @@ def install(options, env, fstore, statestore):
         root_logger.info("Failed to add CA to the default NSS database.")
         return CLIENT_INSTALL_ERROR
 
+    host_principal = 'host/%s@%s' % (hostname, cli_realm)
     if options.on_master:
         # If on master assume kerberos is already configured properly.
         # Get the host TGT.
         os.environ['KRB5CCNAME'] = CCACHE_FILE
         try:
             run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
-                    'host/%s@%s' % (hostname, cli_realm)])
+                    host_principal])
         except CalledProcessError, e:
             root_logger.error("Failed to obtain host TGT.")
             return CLIENT_INSTALL_ERROR
@@ -1693,6 +1696,12 @@ def install(options, env, fstore, statestore):
         root_logger.info(
             "Configured /etc/krb5.conf for IPA realm %s", cli_realm)
 
+    # Clear out any current session keyring information
+    try:
+        kernel_keyring.del_key(COOKIE_NAME % host_principal)
+    except ValueError:
+        pass
+
     # Now, let's try to connect to the server's XML-RPC interface
     try:
         api.Backend.xmlclient.connect()
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index fc135f4f..e97536d9 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -546,8 +546,23 @@ class xmlclient(Connectible):
                     # This shouldn't happen if we have a session but
                     # it isn't fatal.
                     pass
+
+                # Create a new serverproxy with the non-session URI. If there
+                # is an existing connection we need to save the NSS dbdir so
+                # we can skip an unnecessary NSS_Initialize() and avoid
+                # NSS_Shutdown issues.
                 serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
+
+                dbdir = None
+                current_conn = getattr(context, self.id, None)
+                if current_conn is not None:
+                    dbdir = getattr(current_conn.conn._ServerProxy__transport, 'dbdir', None)
+                    if dbdir is not None:
+                        self.debug('Using dbdir %s' % dbdir)
                 setattr(context, self.id, Connection(serverproxy, self.disconnect))
+                if dbdir is not None:
+                    current_conn = getattr(context, self.id, None)
+                    current_conn.conn._ServerProxy__transport.dbdir = dbdir
                 return self.forward(name, *args, **kw)
             raise NetworkError(uri=server, error=e.errmsg)
         except socket.error, e: