diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-15 14:03:19 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
commit | b45629fc480e61464b402ac2fc52c6f9fc61df0e (patch) | |
tree | 8f2cd285f1795bf77627baf2b7ac82eb4742a298 /ipaserver/install | |
parent | 8f4abf7bc1607fc44f528b8a443b69cb82269e69 (diff) | |
download | freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.tar.gz freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.tar.xz freeipa-b45629fc480e61464b402ac2fc52c6f9fc61df0e.zip |
check for replica's KDC entry on master before requesting PKINIT cert
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/krbinstance.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 04cf681df..36d15886b 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -30,6 +30,7 @@ import dns.name from ipaserver.install import service from ipaserver.install import installutils +from ipapython import ipaldap from ipapython import ipautil from ipapython import kernel_keyring from ipalib import api @@ -342,6 +343,17 @@ class KrbInstance(service.Service): self.move_service_to_host(host_principal) + def _wait_for_replica_kdc_entry(self): + master_dn = self.api.Object.server.get_dn(self.fqdn) + kdc_dn = DN(('cn', 'KDC'), master_dn) + + ldap_uri = 'ldap://{}'.format(self.master_fqdn) + + with ipaldap.LDAPClient( + ldap_uri, cacert=paths.IPA_CA_CRT) as remote_ldap: + remote_ldap.gssapi_bind() + replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60) + def setup_pkinit(self): if self.pkcs12_info: certs.install_pem_from_p12(self.pkcs12_info[0], @@ -368,6 +380,9 @@ class KrbInstance(service.Service): ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) + else: + self._wait_for_replica_kdc_entry() + certmonger.request_and_wait_for_cert( certpath, subject, |