Title: #1138: KRA install: log into security domain on master
KRA clone installation can fail due to security domain token
authentication failure that arises because:
1. The security domain session gets created on the replica's CA
2. The "updateNumberRange" is performed against the master's KRA
subsystem, and results in a token authentication request to
the CA subsystem on the same host (i.e. the master)
3. LDAP replication lag means that the master does not yet see
the security domain session that was created on the replica.
To avoid this problem, update the KRA pkispawn configuration for
cloning to log into the security domain on the master, instead of
the CA subsystem on the replica.
How to test:
- Install DL0 master. Perform replica installation with CA and KRA
- Install DL0 master. Perform replica installation with CA. Perform subsequent KRA
installation with `ipa-kra-install`.
- Install DL1 master. Perform replica installation with CA and KRA
(i.e. check that this still works)
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1138/head:pr1138
git checkout pr1138