The attached patches fix https://fedorahosted.org/freeipa/ticket/5963
Thanks Milan for reporting. Cheers, Fraser
From aef64476fef6e3a850d7a4375dbbff098a9439ba Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 17 Jun 2016 10:57:32 +1000 Subject: [PATCH 70/71] Split CA replica installation steps for domain level 0 Installation from replica file is broken because lightweight CA replication setup is attempted before Kerberos is set up. To fix the issue, explicitly execute step 1 before Kerberos setup, and step 2 afterwards. Part of: https://fedorahosted.org/freeipa/ticket/5963 --- ipaserver/install/server/replicainstall.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f597880471eb3710ebc7163f771d4e6dc9f1e3d6..39d528b3e21ce858a9d5334a3884560dea9ca675 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -798,12 +798,17 @@ def install(installer): if ca_enabled: options.ra_p12 = config.dir + "/ra.p12" - ca.install(False, config, options) + ca.install_step_0(False, config, options) krb = install_krb(config, setup_pkinit=not options.no_pkinit) http = install_http(config, auto_redirect=not options.no_ui_redirect, ca_is_configured=ca_enabled) + if config.setup_ca: + # Done after install_krb() because lightweight CA key + # retrieval setup needs to create kerberos principal. + ca.install_step_1(False, config, options) + otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) -- 2.5.5
From 128ef9ebf89699f34e5420f567aac7ea1d07d547 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 17 Jun 2016 14:31:08 +1000 Subject: [PATCH 71/71] Fix migration from pre-lightweight CAs master Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 --- ipaserver/install/cainstance.py | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..e8b505cf04ffd784c21da2be3899cf3681210b0f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -420,6 +420,8 @@ class CAInstance(DogtagInstance): self.step("authorizing RA to modify profiles", configure_profiles_acl) self.step("authorizing RA to manage lightweight CAs", configure_lightweight_ca_acls) + self.step("Ensure lightweight CAs container exists", + ensure_lightweight_cas_container) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -1344,6 +1346,8 @@ class CAInstance(DogtagInstance): self.enable_pkix) self.step("set up client auth to db", self.__client_auth_to_db) self.step("destroying installation admin user", self.teardown_admin) + self.step("Ensure lightweight CAs container exists", + ensure_lightweight_cas_container) self.step("Configure lightweight CA key retrieval", self.setup_lightweight_ca_key_retrieval) self.step("starting instance", self.start_instance) @@ -1414,6 +1418,18 @@ class CAInstance(DogtagInstance): pent = pwd.getpwnam(constants.PKI_USER) root_logger.info('Creating Custodia keys') + custodia_basedn = DN( + ('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + ensure_entry( + custodia_basedn, + objectclass=['top', 'nsContainer'], + cn=['custodia'], + ) + ensure_entry( + DN(('cn', 'dogtag'), custodia_basedn), + objectclass=['top', 'nsContainer'], + cn=['dogtag'], + ) keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') keystore = IPAKEMKeys({'server_keys': keyfile}) keystore.generate_keys(service) @@ -1902,7 +1918,15 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): def ensure_ipa_authority_entry(): - """Add the IPA CA ipaCa object if missing.""" + """Add the IPA CA ipaCa object if missing. + + This requires the "host authority" authority entry to have been + created, which Dogtag will do automatically upon startup, if the + ou=authorities,ou=ca,o=ipaca container exists. Therefore, the + ``ensure_lightweight_cas_container`` function must be executed, + and Dogtag restarted, before executing this function. + + """ # find out authority id, issuer DN and subject DN of IPA CA # @@ -1926,6 +1950,11 @@ def ensure_ipa_authority_entry(): return ensure_entry( + DN(api.env.container_ca, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['cas'], + ) + ensure_entry( DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), objectclass=['top', 'ipaca'], cn=[ipalib.constants.IPA_CA_CN], -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
