rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0038-Move-client-certificate-request-after-krb5.conf-is-c.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   3cf087b4307680ae49aca0c4c3bf79790e5a0af0
  2.   SOURCES
  3.   0038-Move-client-certificate-request-after-krb5.conf-is-c.patch
Blob History Raw
43edf8 
From b043d78bf300a2ec7aa5cc73eb89c56334c6588e Mon Sep 17 00:00:00 2001
43edf8 
From: Florence Blanc-Renaud <flo@redhat.com>
43edf8 
Date: Wed, 15 Mar 2023 12:00:46 +0100
43edf8 
Subject: [PATCH] Move client certificate request after krb5.conf is created
43edf8
43edf8 
The creation of krb5.conf was moved to the end of the script
43edf8 
as part of maintaining server affinity during ipa-client-install.
43edf8 
If the installation is faster than replication then requests
43edf8 
against some IPA servers may fail because the client entry is
43edf8 
not yet present.
43edf8
43edf8 
This is more difficult with certmonger as it will only use
43edf8 
/etc/krb5.conf. There is no way of knowing, even at the end
43edf8 
of the client installation, that replication has finished.
43edf8
43edf8 
Certificate issuance may fail during ipa-client-install but
43edf8 
certmonger will re-try the request.
43edf8
43edf8 
Fixes: https://pagure.io/freeipa/issue/9246
43edf8
43edf8 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
43edf8 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
43edf8 
Reviewed-By: Stanislav Levin <slev@altlinux.org>
43edf8 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
43edf8 
---
43edf8 
 ipaclient/install/client.py | 7 +++++--
43edf8 
 1 file changed, 5 insertions(+), 2 deletions(-)
43edf8
43edf8 
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
43edf8 
index 0f42937997452e9c37a2c98477638de51cf46b90..fed649065c94d2f2623157b825b374b850a4a03e 100644
43edf8 
--- a/ipaclient/install/client.py
43edf8 
+++ b/ipaclient/install/client.py
43edf8 
@@ -2836,8 +2836,6 @@ def _install(options, tdict):
43edf8
43edf8 
     if not options.on_master:
43edf8 
         client_dns(cli_server[0], hostname, options)
43edf8 
-        configure_certmonger(fstore, subject_base, cli_realm, hostname,
43edf8 
-                             options, ca_enabled)
43edf8
43edf8 
     update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options.create_sshfp)
43edf8
43edf8 
@@ -3035,6 +3033,11 @@ def _install(options, tdict):
43edf8
43edf8 
         logger.info("Configured /etc/krb5.conf for IPA realm %s", cli_realm)
43edf8
43edf8 
+        # Configure certmonger after krb5.conf is created and last
43edf8 
+        # to give higher chance that the new client is replicated.
43edf8 
+        configure_certmonger(fstore, subject_base, cli_realm, hostname,
43edf8 
+                             options, ca_enabled)
43edf8 
+
43edf8 
     logger.info('Client configuration complete.')
43edf8
43edf8
43edf8 
--
43edf8 
2.39.2
43edf8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation