diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-15 14:03:19 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
| commit | b45629fc480e61464b402ac2fc52c6f9fc61df0e (patch) | |
| tree | 8f2cd285f1795bf77627baf2b7ac82eb4742a298 | |
| parent | 8f4abf7bc1607fc44f528b8a443b69cb82269e69 (diff) | |
| download | freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.tar.gz freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.tar.xz freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.zip | |
check for replica's KDC entry on master before requesting PKINIT cert
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | ipaserver/install/krbinstance.py | 15 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 6 |
2 files changed, 18 insertions, 3 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 04cf681df..36d15886b 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -30,6 +30,7 @@ import dns.name from ipaserver.install import service from ipaserver.install import installutils +from ipapython import ipaldap from ipapython import ipautil from ipapython import kernel_keyring from ipalib import api @@ -342,6 +343,17 @@ class KrbInstance(service.Service): self.move_service_to_host(host_principal) + def _wait_for_replica_kdc_entry(self): + master_dn = self.api.Object.server.get_dn(self.fqdn) + kdc_dn = DN(('cn', 'KDC'), master_dn) + + ldap_uri = 'ldap://{}'.format(self.master_fqdn) + + with ipaldap.LDAPClient( + ldap_uri, cacert=paths.IPA_CA_CRT) as remote_ldap: + remote_ldap.gssapi_bind() + replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60) + def setup_pkinit(self): if self.pkcs12_info: certs.install_pem_from_p12(self.pkcs12_info[0], @@ -368,6 +380,9 @@ class KrbInstance(service.Service): ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) + else: + self._wait_for_replica_kdc_entry() + certmonger.request_and_wait_for_cert( certpath, subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 47c10f343..9f9010760 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -229,9 +229,9 @@ def ca_kdc_check(api_instance, hostname): raise errors.NotFound() except errors.NotFound: - raise errors.ACIError(info=_( - "Host '%(hostname)s' is not an active KDC") - % dict(hostname=hostname)) + raise errors.ACIError( + info=_("Host '%(hostname)s' is not an active KDC") + % dict(hostname=hostname)) def validate_certificate(value): |