New code using replica promotion mechanism relies on GSSAPI LDAP remote connection to the master server.
In case that user does not have enough privileges, the installation of ipa-ca-install, ipa-server-install, (probably ipa-kra-install) on replica will fail in random step depending on user privileges.
We should check if user's privileges are enough to completelly finish installation.
Related tickets: #5400, #5399
We should check if the user can perform a critically privileged operation necessary for joining a replica. If we had a Replica Admins group we might use that, but we don't, and it may still not be appropriate. We shouldn't have blanket checks on some magical group though as that will break later if we add delegation rules for this operation. For example we have future plans to allow a preissued OTP/keytab to create a new repliuca. The identity associated with that keytab will Definitely Not be in the admins group.
master:
The ipaservers membership check is done too early and may fail with "not found" error in domain level 0.
Reopening the ticket.
Metadata Update from @mbasti: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.