|
|
ac7d03 |
From 23030ef4f4faa9bf3ee13d13dedb2e0a21da1f2a Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 3 May 2017 10:21:12 +0200
|
|
|
ac7d03 |
Subject: [PATCH] ipa-server-install with external CA: fix pkinit cert issuance
|
|
|
ac7d03 |
|
|
|
ac7d03 |
ipa-server-install with external CA fails to issue pkinit certs.
|
|
|
ac7d03 |
This happens because the installer calls
|
|
|
ac7d03 |
krb = krbinstance.KrbInstance(fstore)
|
|
|
ac7d03 |
then
|
|
|
ac7d03 |
krb.enable_ssl()
|
|
|
ac7d03 |
and in this code path self.config_pkinit is set to None, leading to a wrong
|
|
|
ac7d03 |
code path.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
The fix initializes the required fields of the krbinstance before calling
|
|
|
ac7d03 |
krb.enable_ssl.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6921
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/krbinstance.py | 8 ++++++++
|
|
|
ac7d03 |
ipaserver/install/server/install.py | 4 ++++
|
|
|
ac7d03 |
2 files changed, 12 insertions(+)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
index 76ac3029ca6d1cbdd85c6ced6272c6f9a21f04a1..2f14ff592064d3446f73b31e615b2de88d6d786c 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
@@ -108,6 +108,14 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
suffix = ipautil.dn_attribute_property('_suffix')
|
|
|
ac7d03 |
subject_base = ipautil.dn_attribute_property('_subject_base')
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def init_info(self, realm_name, host_name, setup_pkinit=False,
|
|
|
ac7d03 |
+ subject_base=None):
|
|
|
ac7d03 |
+ self.fqdn = host_name
|
|
|
ac7d03 |
+ self.realm = realm_name
|
|
|
ac7d03 |
+ self.suffix = ipautil.realm_to_suffix(realm_name)
|
|
|
ac7d03 |
+ self.subject_base = subject_base
|
|
|
ac7d03 |
+ self.config_pkinit = setup_pkinit
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def get_realm_suffix(self):
|
|
|
ac7d03 |
return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
ac7d03 |
index b360e0532ce1b9b729be1cc2398cb2b46620901c..0ce60e964cb210708e56fb43a5b70f8e3405caf2 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/install.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/install.py
|
|
|
ac7d03 |
@@ -768,6 +768,10 @@ def install(installer):
|
|
|
ac7d03 |
setup_pkinit=not options.no_pkinit,
|
|
|
ac7d03 |
pkcs12_info=pkinit_pkcs12_info,
|
|
|
ac7d03 |
subject_base=options.subject_base)
|
|
|
ac7d03 |
+ else:
|
|
|
ac7d03 |
+ krb.init_info(realm_name, host_name,
|
|
|
ac7d03 |
+ setup_pkinit=not options.no_pkinit,
|
|
|
ac7d03 |
+ subject_base=options.subject_base)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if setup_ca:
|
|
|
ac7d03 |
if not options.external_cert_files and options.external_ca:
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|