[Ovirt-devel] [PATCH] replace kadmin.local with ipa-* commands

[Alan Pevec]

replace kadmin.local with ipa-* commands

We should not use kadmin with IPA, see http://freeipa.org/page/IpaConcepts#How_IPA_and_Kerberos_Work_Together
This change makes finally 'grant_admin_privileges ovirtadmin' work, since now we get user object created at expected prefix cn=users,cn=accounts

'grant_admin_privileges admin' is removed, admin is IPA system account and has nothing to do with oVirt


diff --git a/wui-appliance/wui-devel-x86_64.ks b/wui-appliance/wui-devel-x86_64.ks
index 1ab990f..173e448 100644
--- a/wui-appliance/wui-devel-x86_64.ks
+++ b/wui-appliance/wui-devel-x86_64.ks
@@ -30,7 +30,9 @@ for i in `seq 3 252` ; do
     echo "192.168.50.$i node$i.priv.ovirt.org" >> /etc/hosts
 done
 
-principal=ovirtadmin at PRIV.OVIRT.ORG
+principal=ovirtadmin
+realm=PRIV.OVIRT.ORG
+password=ovirt
 cron_file=/etc/cron.hourly/ovirtadmin.cron
 ktab_file=/usr/share/ovirt-wui/ovirtadmin.tab
 
@@ -40,7 +42,7 @@ cat > $cron_file << EOF
 #!/bin/bash
 export PATH=/usr/kerberos/bin:$PATH
 kdestroy
-kinit -k -t $ktab_file $principal
+kinit -k -t $ktab_file $principal@$realm
 EOF
 chmod 755 $cron_file
 
@@ -106,6 +108,8 @@ EOF
 first_run_file=/etc/init.d/ovirt-wui-dev-first-run
 sed -e "s, at cron_file@,$cron_file," \
     -e "s, at principal@,$principal," \
+    -e "s, at realm@,$realm," \
+    -e "s, at password@,$password,g" \
     -e "s, at ktab_file@,$ktab_file," \
    > $first_run_file << \EOF
 #!/bin/bash
@@ -119,18 +123,18 @@ sed -e "s, at cron_file@,$cron_file," \
 # Source functions library
 . /etc/init.d/functions
 
-KADMIN=/usr/kerberos/sbin/kadmin.local
-
 start() {
 	echo -n "Starting ovirt-dev-wui-first-run: "
 	(
 	# set up freeipa
-	ipa-server-install -r PRIV.OVIRT.ORG -p ovirt -P ovirt -a ovirtwui \
+	ipa-server-install -r PRIV.OVIRT.ORG -p @password@ -P @password@ -a @password@ \
 	  --hostname management.priv.ovirt.org -u dirsrv -U
 
 	# now create the ovirtadmin user
-	$KADMIN -q 'addprinc -randkey @principal@'
-	$KADMIN -q 'ktadd -k @ktab_file@ @principal@'
+	echo @password@|kinit admin
+	ipa-adduser -f Ovirt -l Admin -p @password@ @principal@
+	ipa-moduser --setattr krbPasswordExpiration=19700101000000Z @principal@
+	ipa-getkeytab -s management.priv.ovirt.org -p @principal@ -k @ktab_file@
 	@cron_file@
 
 	) > /var/log/ovirt-wui-dev-first-run.log 2>&1
diff --git a/wui/scripts/ovirt-wui-install b/wui/scripts/ovirt-wui-install
index 9cc3ac4..61da1b6 100755
--- a/wui/scripts/ovirt-wui-install
+++ b/wui/scripts/ovirt-wui-install
@@ -184,9 +184,6 @@ mkdir -p log
 rake db:migrate
 cd -
 
-${OVIRT_DIR}/script/grant_admin_privileges admin
-[ $? != 0 ] && echo "Failed to grant admin privileges" && exit 1
-
 if [ -f ${OVIRT_DIR}/ovirtadmin.tab ]; then
     ${OVIRT_DIR}/script/grant_admin_privileges ovirtadmin
     [ $? != 0 ] && echo "Failed to grant ovirtadmin privileges" && exit 1
@@ -199,6 +196,3 @@ for svc in $OVIRT_SVCS $ENABLE_SVCS; do
 done
 
 exit 0
-
-
-