From 0e232b5f526168af6bb0b52244f79dfacb43a9b7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Nov 11 2016 11:13:56 +0000 Subject: replica install: use one remote KRA host name everywhere Remote master and KRA host names may differ. Always use the remote KRA host name and never the remote master host name in KRA replica install. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka --- diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 4f24d58..fd22288 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -188,7 +188,7 @@ class KRAInstaller(KRAInstall): if self.installing_replica: if self.options.promote: config = ReplicaConfig() - config.master_host_name = None + config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain @@ -201,17 +201,15 @@ class KRAInstaller(KRAInstall): self.options.password, self.replica_file, self.options) + config.kra_host_name = config.master_host_name if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] - if config.master_host_name is None: + if config.kra_host_name is None: config.kra_host_name = service.find_providing_server( 'KRA', api.Backend.ldap2, api.env.ca_host) - config.master_host_name = config.kra_host_name - else: - config.kra_host_name = config.master_host_name try: kra.install_check(api, config, self.options) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 77f23c1..22fe38a 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -428,7 +428,7 @@ def install_replica_kra(config, postinstall=False): _kra.configure_instance(config.realm_name, config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(krafile,), - master_host=config.master_host_name, + master_host=config.kra_host_name, subject_base=config.subject_base) # Restart httpd since we changed it's config and added ipa-pki-proxy.conf diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 96f4adb..05718a5 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -550,6 +550,7 @@ def install_check(installer): config = create_replica_config(dirman_password, filename, options) config.ca_host_name = config.master_host_name + config.kra_host_name = config.ca_host_name config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra installer._top_dir = config.top_dir @@ -1041,6 +1042,7 @@ def promote_check(installer): config.domain_name = api.env.domain config.master_host_name = api.env.server config.ca_host_name = api.env.ca_host + config.kra_host_name = config.ca_host_name config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra config.dir = installer._top_dir @@ -1277,8 +1279,8 @@ def promote_check(installer): "custom certificates.") raise ScriptError(rval=3) - config.kra_host_name = service.find_providing_server('KRA', conn, - api.env.server) + config.kra_host_name = service.find_providing_server( + 'KRA', conn, config.kra_host_name) if options.setup_kra and config.kra_host_name is None: root_logger.error("There is no KRA server in the domain, can't " "setup a KRA clone")