From 82af886e17905b8bdaadf8fc2b8214ad85a94470 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Mon, 5 Jun 2017 12:35:52 +0000

Subject: [PATCH] server certinstall: update KDC master entry

After the KDC certificate is installed, add the PKINIT enabled flag to the

KDC master entry.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipaserver/install/ipa_server_certinstall.py | 9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py

index a14a84f188c62170c8ac11f823ebba60609e4cc7..9c8f6e81a802e1a87bab1fd15f729e10676fe3a3 100644

--- a/ipaserver/install/ipa_server_certinstall.py

+++ b/ipaserver/install/ipa_server_certinstall.py

@@ -34,7 +34,7 @@ from ipapython.certdb import (get_ca_nickname,

                               verify_kdc_cert_validity)

 from ipapython.dn import DN

 from ipalib import api, errors

-from ipaserver.install import certs, dsinstance, installutils

+from ipaserver.install import certs, dsinstance, installutils, krbinstance

 class ServerCertInstall(admintool.AdminTool):

@@ -223,6 +223,13 @@ class ServerCertInstall(admintool.AdminTool):

         except RuntimeError as e:

             raise admintool.ScriptError(str(e))

+        krb = krbinstance.KrbInstance()

+        krb.init_info(

+            realm_name=api.env.realm,

+            host_name=api.env.host,

+        )

+        krb.pkinit_enable()

+

     def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):

         # create a temp nssdb

         with NSSDatabase() as tempnssdb:

-- 

2.9.4