Allow ipa-replica-conncheck to use default creds

If the user has already run kinit try to use those credentials.
The user can always override by explicitly passing the -p flag.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 83 insertions, 43 deletions

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 9050c8e08..e4c259b7e 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -40,11 +40,12 @@ import errno
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
+import gssapi
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
 QUIET = False
-CCACHE_FILE = paths.CONNCHECK_CCACHE
+CCACHE_FILE = None
 KRB5_CONFIG = None
 
 class SshExec(object):
@@ -64,12 +65,22 @@ class SshExec(object):
             self.cmd,
             '-o StrictHostKeychecking=no',
             '-o UserKnownHostsFile=%s' % tmpf.name,
+            '-o GSSAPIAuthentication=yes',
             '%s@%s' % (self.user, self.addr), command
         ]
         if verbose:
             cmd.insert(1, '-v')
 
-        env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
+        env = dict()
+        if KRB5_CONFIG is not None:
+            env['KRB5_CONFIG'] = KRB5_CONFIG
+        elif 'KRB5_CONFIG' in os.environ:
+            env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
+        if CCACHE_FILE is not None:
+            env['KRB5CCNAME'] = CCACHE_FILE
+        elif 'KRB5CCNAME' in os.environ:
+            env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
+
         return ipautil.run(cmd, env=env, raiseonerr=False)
 
 
@@ -110,7 +121,7 @@ def parse_options():
     replica_group.add_option("-k", "--kdc", dest="kdc",
                       help="Master KDC. Defaults to master address")
     replica_group.add_option("-p", "--principal", dest="principal",
-                      default="admin", help="Principal to use to log in to remote master")
+                      default=None, help="Principal to use to log in to remote master")
     replica_group.add_option("-w", "--password", dest="password", sensitive=True,
                       help="Password for the principal"),
     parser.add_option_group(replica_group)
@@ -352,45 +363,63 @@ def main():
         remote_check_opts = ['--replica %s' % options.hostname]
 
         if options.auto_master_check:
-            (krb_fd, krb_name) = tempfile.mkstemp()
-            os.close(krb_fd)
-            configure_krb5_conf(options.realm, options.kdc, krb_name)
-            global KRB5_CONFIG
-            KRB5_CONFIG = krb_name
-
             print_info("Get credentials to log in to remote master")
-            if options.principal.find('@') == -1:
-                principal = '%s@%s' % (options.principal, options.realm)
-                user = options.principal
+            cred = None
+            if options.principal is None:
+                # Check if ccache is available
+                try:
+                    root_logger.debug('KRB5CCNAME set to %s' %
+                                      os.environ.get('KRB5CCNAME', None))
+                    # get default creds, will raise if none found
+                    cred = gssapi.creds.Credentials()
+                    principal = str(cred.name)
+                except gssapi.raw.misc.GSSError as e:
+                    root_logger.debug('Failed to find default ccache: %s' % e)
+                    # Use admin as the default principal
+                    principal = "admin"
             else:
                 principal = options.principal
-                user = options.principal.partition('@')[0]
-
-            if options.password:
-                password=options.password
-            else:
-                password = installutils.read_password(principal, confirm=False,
-                           validate=False, retry=False)
-                if password is None:
-                    sys.exit("Principal password required")
-
-
-            stderr=''
-            (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
-                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
-                 stdin=password, raiseonerr=False)
-            if returncode != 0:
-                raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
-
-            # Verify kinit was actually successful
-            stderr=''
-            (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
-                 'host/%s' % options.master],
-                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
-                 raiseonerr=False)
-            if returncode != 0:
-                raise RuntimeError("Could not get ticket for master server: %s" % stderr)
 
+            if cred is None:
+                (krb_fd, krb_name) = tempfile.mkstemp()
+                os.close(krb_fd)
+                configure_krb5_conf(options.realm, options.kdc, krb_name)
+                global KRB5_CONFIG
+                KRB5_CONFIG = krb_name
+                (ccache_fd, ccache_name) = tempfile.mkstemp()
+                os.close(ccache_fd)
+                global CCACHE_FILE
+                CCACHE_FILE = ccache_name
+
+                if principal.find('@') == -1:
+                    principal = '%s@%s' % (principal, options.realm)
+
+                if options.password:
+                    password=options.password
+                else:
+                    password = installutils.read_password(principal, confirm=False,
+                               validate=False, retry=False)
+                    if password is None:
+                        sys.exit("Principal password required")
+
+
+                stderr=''
+                (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
+                     env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                    stdin=password, raiseonerr=False)
+                if returncode != 0:
+                    raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
+
+                # Verify kinit was actually successful
+                stderr=''
+                (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
+                     'host/%s' % options.master],
+                    env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                    raiseonerr=False)
+                if returncode != 0:
+                    raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
+            user = principal.partition('@')[0]
             ssh = SshExec(user, options.master)
 
             print_info("Check SSH connection to remote master")
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 858e3f36b..45dea27bb 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -64,7 +64,8 @@ STRIP_ATTRS = ('modifiersName',
 
 
 def replica_conn_check(master_host, host_name, realm, check_ca,
-                       dogtag_master_ds_port, admin_password=None):
+                       dogtag_master_ds_port, admin_password=None,
+                       principal="admin"):
     """
     Check the ports used by the replica both locally and remotely to be sure
     that replication will work.
@@ -74,10 +75,12 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
     print("Run connection check to master")
     args = [paths.IPA_REPLICA_CONNCHECK, "--master", master_host,
             "--auto-master-check", "--realm", realm,
-            "--principal", "admin",
             "--hostname", host_name]
     nolog=tuple()
 
+    if principal is not None:
+        args.extend(["--principal", principal])
+
     if admin_password:
         args.extend(["--password", admin_password])
         nolog=(admin_password,)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 13573f404..88f016179 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -821,6 +821,7 @@ def promote_check(installer):
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
     # Check if ccache is available
+    default_cred = None
     try:
         root_logger.debug('KRB5CCNAME set to %s' %
                           os.environ.get('KRB5CCNAME', None))
@@ -853,8 +854,8 @@ def promote_check(installer):
         stdin = None
         if principal.find('@') == -1:
             principal = '%s@%s' % (principal, config.realm_name)
-        if options.password is not None:
-            stdin = options.password
+        if options.admin_password is not None:
+            stdin = options.admin_password
         else:
             if not options.unattended:
                 try:
@@ -876,6 +877,9 @@ def promote_check(installer):
                 else:
                     stdin = sys.stdin.readline()
 
+            # set options.admin_password for future use
+            options.admin_password = stdin
+
         try:
             ipautil.kinit_password(principal, stdin, ccache_name)
         except RuntimeError as e:
@@ -1030,9 +1034,13 @@ def promote_check(installer):
 
     # check connection
     if not options.skip_conncheck:
+        p = None
+        if default_cred is None:
+            p = principal
         replica_conn_check(
             config.master_host_name, config.host_name, config.realm_name,
-            options.setup_ca, dogtag.Dogtag10Constants.DS_PORT)
+            options.setup_ca, dogtag.Dogtag10Constants.DS_PORT,
+            options.admin_password, principal=p)
 
     if not ipautil.file_exists(cafile):
         raise RuntimeError("CA cert file is not available.")