From 7fe3cba3d4cbe62c23e0e74f6bf3c44c50feb985 Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Tue, 4 Sep 2018 14:15:50 +0200

Subject: [PATCH] ipa-replica-install: fix pkinit setup

commit 7284097 (Delay enabling services until end of installer)

introduced a regression in replica installation.

When the replica requests a cert for PKINIT, a check is done

to ensure that the hostname corresponds to a machine with a

KDC service enabled (ipaconfigstring attribute of

cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain

'enabledService').

With the commit mentioned above, the service is set to enabled only

at the end of the installation.

The fix makes a less strict check, ensuring that 'enabledService'

or 'configuredService' is in ipaconfigstring.

Fixes: https://pagure.io/freeipa/issue/7566

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 ipaserver/plugins/cert.py | 6 ++++--

 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py

index 0663272c9b4fd73225f63fe52d8d31157d5cc690..ed78388c8b8b4688873a5b047fb1b67e417a8a6d 100644

--- a/ipaserver/plugins/cert.py

+++ b/ipaserver/plugins/cert.py

@@ -300,9 +300,11 @@ def ca_kdc_check(api_instance, hostname):

         ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}

-        if 'enabledservice' not in ipaconfigstring:

+        if 'enabledservice' not in ipaconfigstring \

+                and 'configuredservice' not in ipaconfigstring:

             raise errors.NotFound(

-                reason=_("enabledService not in ipaConfigString kdc entry"))

+                reason=_("enabledService/configuredService not in "

+                         "ipaConfigString kdc entry"))

     except errors.NotFound:

         raise errors.ACIError(

-- 

2.17.1