From 3129b874a2c222ff207f1302e5d85ae12df2eac9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 11 2016 11:17:25 +0000
Subject: dsinstance: use keytab retrieval method from parent class


DS replica can now use remote API and ipa-getkeytab to create service
principal and fetch the keytab in both domain levels. There is no need to use
KDC installer to do it.

https://fedorahosted.org/freeipa/ticket/6405

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 7c5cf92..a604010 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -390,8 +390,8 @@ class DsInstance(service.Service):
         self.__common_setup(enable_ssl=(not self.promote))
         self.step("restarting directory server", self.__restart_instance)
 
+        self.step("creating DS keytab", self._request_service_keytab)
         if self.promote:
-            self.step("creating DS keytab", self.__get_ds_keytab)
             if self.ca_is_configured:
                 self.step("retrieving DS Certificate", self.__get_ds_cert)
             self.step("restarting directory server", self.__restart_instance)
@@ -1224,29 +1224,14 @@ class DsInstance(service.Service):
         if self.domainlevel is not None:
             self._ldap_mod("domainlevel.ldif", self.sub_dict)
 
-    def __get_ds_keytab(self):
-
-        self.fstore.backup_file(self.keytab)
-        try:
-            os.unlink(self.keytab)
-        except OSError:
-            pass
-
-        installutils.install_service_keytab(self.api,
-                                            self.principal,
-                                            self.master_fqdn,
-                                            self.keytab,
-                                            force_service_add=True)
+    def _request_service_keytab(self):
+        super(DsInstance, self)._request_service_keytab()
 
         # Configure DS to use the keytab
         vardict = {"KRB5_KTNAME": self.keytab}
         ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
                                          replacevars=vardict)
 
-        # Keytab must be owned by DS itself
-        pent = pwd.getpwnam(self.service_user)
-        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
-
     def __get_ds_cert(self):
         subject = self.subject_base or DN(('O', self.realm))
         nssdb_dir = config_dirname(self.serverid)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d1fba7c..b7ae38f 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -177,9 +177,6 @@ class KrbInstance(service.Service):
         self.__common_setup(realm_name, host_name, domain_name, admin_password)
 
         self.step("configuring KDC", self.__configure_instance)
-        if not promote:
-            self.step("creating a keytab for the directory",
-                      self.__create_ds_keytab)
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
         if setup_pkinit:
             self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)