1 files changed, 62 insertions, 38 deletions

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 9050c8e08..5050fb134 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -40,11 +40,12 @@ import errno
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
+import gssapi
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
 QUIET = False
-CCACHE_FILE = paths.CONNCHECK_CCACHE
+CCACHE_FILE = None
 KRB5_CONFIG = None
 
 class SshExec(object):
@@ -69,7 +70,12 @@ class SshExec(object):
         if verbose:
             cmd.insert(1, '-v')
 
-        env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
+        env = dict()
+        if KRB5_CONFIG is not None:
+            env['KRB5_CONFIG'] = KRB5_CONFIG
+        if CCACHE_FILE is not None:
+            env['KRB5CCNAME'] = CCACHE_FILE
+
         return ipautil.run(cmd, env=env, raiseonerr=False)
 
 
@@ -110,7 +116,7 @@ def parse_options():
     replica_group.add_option("-k", "--kdc", dest="kdc",
                       help="Master KDC. Defaults to master address")
     replica_group.add_option("-p", "--principal", dest="principal",
-                      default="admin", help="Principal to use to log in to remote master")
+                      default=None, help="Principal to use to log in to remote master")
     replica_group.add_option("-w", "--password", dest="password", sensitive=True,
                       help="Password for the principal"),
     parser.add_option_group(replica_group)
@@ -352,45 +358,63 @@ def main():
         remote_check_opts = ['--replica %s' % options.hostname]
 
         if options.auto_master_check:
-            (krb_fd, krb_name) = tempfile.mkstemp()
-            os.close(krb_fd)
-            configure_krb5_conf(options.realm, options.kdc, krb_name)
-            global KRB5_CONFIG
-            KRB5_CONFIG = krb_name
-
             print_info("Get credentials to log in to remote master")
-            if options.principal.find('@') == -1:
-                principal = '%s@%s' % (options.principal, options.realm)
-                user = options.principal
+            cred = None
+            if options.principal is None:
+                # Check if ccache is available
+                try:
+                    root_logger.debug('KRB5CCNAME set to %s' %
+                                      os.environ.get('KRB5CCNAME', None))
+                    # get default creds, will raise if none found
+                    cred = gssapi.creds.Credentials()
+                    principal = str(cred.name)
+                except gssapi.raw.misc.GSSError as e:
+                    root_logger.debug('Failed to find default ccache: %s' % e)
+                    # Use admin as the default principal
+                    principal = "admin"
             else:
                 principal = options.principal
-                user = options.principal.partition('@')[0]
-
-            if options.password:
-                password=options.password
-            else:
-                password = installutils.read_password(principal, confirm=False,
-                           validate=False, retry=False)
-                if password is None:
-                    sys.exit("Principal password required")
-
-
-            stderr=''
-            (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
-                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
-                 stdin=password, raiseonerr=False)
-            if returncode != 0:
-                raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
-
-            # Verify kinit was actually successful
-            stderr=''
-            (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
-                 'host/%s' % options.master],
-                 env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
-                 raiseonerr=False)
-            if returncode != 0:
-                raise RuntimeError("Could not get ticket for master server: %s" % stderr)
 
+            if cred is None:
+                (krb_fd, krb_name) = tempfile.mkstemp()
+                os.close(krb_fd)
+                configure_krb5_conf(options.realm, options.kdc, krb_name)
+                global KRB5_CONFIG
+                KRB5_CONFIG = krb_name
+                (ccache_fd, ccache_name) = tempfile.mkstemp()
+                os.close(ccache_fd)
+                global CCACHE_FILE
+                CCACHE_FILE = ccache_name
+
+                if principal.find('@') == -1:
+                    principal = '%s@%s' % (principal, options.realm)
+
+                if options.password:
+                    password=options.password
+                else:
+                    password = installutils.read_password(principal, confirm=False,
+                               validate=False, retry=False)
+                    if password is None:
+                        sys.exit("Principal password required")
+
+
+                stderr=''
+                (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
+                     env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                    stdin=password, raiseonerr=False)
+                if returncode != 0:
+                    raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
+
+                # Verify kinit was actually successful
+                stderr=''
+                (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
+                     'host/%s' % options.master],
+                    env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+                    raiseonerr=False)
+                if returncode != 0:
+                    raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
+            user = principal.partition('@')[0]
             ssh = SshExec(user, options.master)
 
             print_info("Check SSH connection to remote master")