From 68d5fe1ec7d785f127b3513f84cc632cdb1f9167 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 13 Jul 2012 18:12:48 +0300
Subject: Ensure ipa-adtrust-install is run with Kerberos ticket for admin user

When setting up AD trusts support, ipa-adtrust-install utility
needs to be run as:
   - root, for performing Samba configuration and using LDAPI/autobind
   - kinit-ed IPA admin user, to ensure proper ACIs are granted to
     fetch keytab

As result, we can get rid of Directory Manager credentials in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/2815
---
 ipaserver/install/cainstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'ipaserver/install/cainstance.py')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2644689a..dc4374cc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -225,10 +225,9 @@ def get_outputList(data):
 
 class CADSInstance(service.Service):
     def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None):
-        service.Service.__init__(self, "pkids")
+        service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
         self.serverid = "PKI-IPA"
         self.realm_name = realm_name
-        self.dm_password = dm_password
         self.sub_dict = None
         self.domain = domain_name
         self.fqdn = host_name
-- 
cgit