From a8588c5006a61855cb178643916a02513df3fa31 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jun 29 2021 07:01:01 +0000
Subject: ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)


ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 97b92b7..79fdb3d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1370,6 +1370,11 @@ def do_nsupdate(update_txt):
         result = True
     except CalledProcessError as e:
         logger.debug('nsupdate failed: %s', str(e))
+        try:
+            ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+            result = True
+        except CalledProcessError as e:
+            logger.debug('Unauthenticated nsupdate failed: %s', str(e))
 
     try:
         os.remove(UPDATE_FILE)