Cloned from upstream: https://pagure.io/freeipa/issue/6801
pkinit is not allowed on DL0 so new master/replica installations should not allow any PKINIT options to be set and should force `--no-pkinit`.
6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check
9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0
8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs
fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files
497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check
a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0
85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs
8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files
How can I attempt to install a master with DL0 with pkinit options? I thought those weren't introduced until 4.5. So can I attempt a DL0 Master install somehow with those or is this really just for replica installs?
Testing on a replica. Just checking that this is the intended behavior?
I setup a RHEL6.9 IPA Master and ran
[root@rhel6-1 ~]# ipa-replica-prepare --ip-address=192.168.122.73 --reverse-zone=122.168.192.in-addr.arpa. rhel7-3.example.com
Directory Manager (existing master) password:
Preparing replica for rhel7-3.example.com from rhel6-1.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Packaging replica information into /var/lib/ipa/replica-info-rhel7-3.example.com.gpg
Adding DNS records for rhel7-3.example.com
Using reverse zone 122.168.192.in-addr.arpa.
Checking that pkinit options don't work for
[root@rhel7-3 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -n example.com -r EXAMPLE.COM -P Secret123 --pkinit-cert-file=/dev/null --pkinit-pin=123456 --pkinit-cert-name=KDC /var/lib/ipa/replica-info-rhel7-3.example.com.gpg
Usage: ipa-replica-install [options] [REPLICA_FILE]
ipa-replica-install: error: pkinit on domain level 0 is not supported. Please don't use any pkinit-related options.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Domain level 0 master can also be a IPA 4.5 upgraded from IPA 4.2 or IPA 4.4 (which was still on domain level 0).
Alternative, quick, but not supported option is to use undocumented '--domain-level 0' option to test this without upgrading.
Since we can't run ipa-server-install on IPA 4.5 after it was already run on 4.2 and then upgraded, we are focused here on the replica-install on domain level 0.
See comment #6
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.