|
 |
5144c6 |
From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
|
|
|
5144c6 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
5144c6 |
Date: Mon, 3 Aug 2020 18:52:07 +0200
|
|
|
5144c6 |
Subject: [PATCH] CAless installation: set the perms on KDC cert file
|
|
|
5144c6 |
|
|
|
5144c6 |
In CA less installation, the KDC certificate file does not have
|
|
|
5144c6 |
the expected 644 permissions. As a consequence, WebUI login
|
|
|
5144c6 |
fails.
|
|
|
5144c6 |
|
|
|
5144c6 |
The fix makes sure that the KDC cert file is saved with 644 perms.
|
|
|
5144c6 |
|
|
|
5144c6 |
Fixes: https://pagure.io/freeipa/issue/8440
|
|
|
5144c6 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
5144c6 |
---
|
|
|
5144c6 |
ipaserver/install/krbinstance.py | 2 ++
|
|
|
5144c6 |
1 file changed, 2 insertions(+)
|
|
|
5144c6 |
|
|
|
5144c6 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
5144c6 |
index 09d14693c..1910ff374 100644
|
|
|
5144c6 |
--- a/ipaserver/install/krbinstance.py
|
|
|
5144c6 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
5144c6 |
@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
|
|
|
5144c6 |
certs.install_pem_from_p12(self.pkcs12_info[0],
|
|
|
5144c6 |
self.pkcs12_info[1],
|
|
|
5144c6 |
paths.KDC_CERT)
|
|
|
5144c6 |
+ # The KDC cert needs to be readable by everyone
|
|
|
5144c6 |
+ os.chmod(paths.KDC_CERT, 0o644)
|
|
|
5144c6 |
certs.install_key_from_p12(self.pkcs12_info[0],
|
|
|
5144c6 |
self.pkcs12_info[1],
|
|
|
5144c6 |
paths.KDC_KEY)
|
|
|
5144c6 |
--
|
|
|
5144c6 |
2.26.2
|
|
|
5144c6 |
|
|
|
5144c6 |
From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
|
|
|
5144c6 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
5144c6 |
Date: Mon, 3 Aug 2020 18:53:47 +0200
|
|
|
5144c6 |
Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
|
|
|
5144c6 |
|
|
|
5144c6 |
The KDC certificate file must be stored with 644 permissions.
|
|
|
5144c6 |
Add a test checking the file permissions on server + replica.
|
|
|
5144c6 |
|
|
|
5144c6 |
Related: https://pagure.io/freeipa/issue/8440
|
|
|
5144c6 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
5144c6 |
---
|
|
|
5144c6 |
ipatests/test_integration/test_caless.py | 9 +++++++++
|
|
|
5144c6 |
1 file changed, 9 insertions(+)
|
|
|
5144c6 |
|
|
|
5144c6 |
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
|
|
5144c6 |
index a7b2cbbbc..1ea7d9896 100644
|
|
|
5144c6 |
--- a/ipatests/test_integration/test_caless.py
|
|
|
5144c6 |
+++ b/ipatests/test_integration/test_caless.py
|
|
|
5144c6 |
@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
|
|
|
5144c6 |
assert result.returncode == 0
|
|
|
5144c6 |
|
|
|
5144c6 |
|
|
|
5144c6 |
+def verify_kdc_cert_perms(host):
|
|
|
5144c6 |
+ """Verify that the KDC cert pem file has 0644 perms"""
|
|
|
5144c6 |
+ cmd = host.run_command(['stat', '-c',
|
|
|
5144c6 |
+ '"%a %G:%U"', paths.KDC_CERT])
|
|
|
5144c6 |
+ assert "644 root:root" in cmd.stdout_text
|
|
|
5144c6 |
+
|
|
|
5144c6 |
+
|
|
|
5144c6 |
class TestPKINIT(CALessBase):
|
|
|
5144c6 |
"""Install master and replica with PKINIT"""
|
|
|
5144c6 |
num_replicas = 1
|
|
|
5144c6 |
@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
|
|
|
5144c6 |
result = cls.install_server(pkinit_pkcs12_exists=True,
|
|
|
5144c6 |
pkinit_pin=_DEFAULT)
|
|
|
5144c6 |
assert result.returncode == 0
|
|
|
5144c6 |
+ verify_kdc_cert_perms(cls.master)
|
|
|
5144c6 |
|
|
|
5144c6 |
@replica_install_teardown
|
|
|
5144c6 |
def test_server_replica_install_pkinit(self):
|
|
|
5144c6 |
@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
|
|
|
5144c6 |
pkinit_pin=_DEFAULT)
|
|
|
5144c6 |
assert result.returncode == 0
|
|
|
5144c6 |
self.verify_installation()
|
|
|
5144c6 |
+ verify_kdc_cert_perms(self.replicas[0])
|
|
|
5144c6 |
|
|
|
5144c6 |
|
|
|
5144c6 |
class TestServerReplicaCALessToCAFull(CALessBase):
|
|
|
5144c6 |
--
|
|
|
5144c6 |
2.26.2
|
|
|
5144c6 |
|