From 5aa15e551fe9b76c3e89862fe36b661825a807ce Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Tue, 4 Sep 2018 14:15:50 +0200

Subject: [PATCH] ipa-replica-install: fix pkinit setup

commit 7284097 (Delay enabling services until end of installer)

introduced a regression in replica installation.

When the replica requests a cert for PKINIT, a check is done

to ensure that the hostname corresponds to a machine with a

KDC service enabled (ipaconfigstring attribute of

cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain

'enabledService').

With the commit mentioned above, the service is set to enabled only

at the end of the installation.

The fix makes a less strict check, ensuring that 'enabledService'

or 'configuredService' is in ipaconfigstring.

Fixes: https://pagure.io/freeipa/issue/7566

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 ipaserver/plugins/cert.py | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py

index 501fc9015468c864215cfb604de37cdf6d805e52..60ad140da3b1483ffe5918239a489030ccc7fe96 100644

--- a/ipaserver/plugins/cert.py

+++ b/ipaserver/plugins/cert.py

@@ -230,7 +230,8 @@ def ca_kdc_check(api_instance, hostname):

         ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}

-        if 'enabledservice' not in ipaconfigstring:

+        if 'enabledservice' not in ipaconfigstring \

+                and 'configuredservice' not in ipaconfigstring:

             raise errors.NotFound()

     except errors.NotFound:

-- 

2.17.1