freeipa

Clone
Source Code
GIT

#6405 unify domain level-specific mechanisms for replica's DS/HTTP keytab generation
Closed: Fixed None Opened 7 years ago by mbabinsk.

Closed: Fixed
Reopen Issue

Currently the mechanism by which DS and Apache get service keytabs during replica install differ in domain level 0 and 1, respectively (e.g. in DL1 directory server requests keytab from remote master, in DL0 KDC installer generates it).

This makes it hard to abstract domain-level specific behavior from the replica installer(s).

Both domain levels should have a common mechanism to request service keytabs so that amount of domain-level specific behavior is kept at minimum. This may require more substantial modifications in replica installation workflows.

Part of the installer refactoring effort.

master:

  • 6ca96b3 Fix the naming of ipa-dnskeysyncd service principal

The related patches were pushed as part of #6392

master:

  • 7cd3b1b installutils: remove 'install_service_keytab' function
  • 73fc155 domain-level agnostic keytab retrieval in httpinstance
  • 4e97a01 installers: restart DS after KDC is configured
  • 3129b87 dsinstance: use keytab retrieval method from parent class
  • 6181844 use DM credentials to retrieve service keytab only in DLO
  • 4286f38 Service: common method for service keytab requests
  • 3259998 Turn Kerberos-related properties to Service class members
  • 81bf72d Make service user name a class member of Service
  • 15f282c service installers: clean up the inheritance

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.5
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Installation
#6392
None
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.