ac7d03
From 6602dffc7ab8e9bdc7fefd02f9ed11e5575f5f7b Mon Sep 17 00:00:00 2001
ac7d03
From: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
Date: Wed, 22 Mar 2017 16:41:59 +0100
ac7d03
Subject: [PATCH] Always check and create anonymous principal during KDC
ac7d03
 install
ac7d03
ac7d03
The anonymous principal will now be checked for presence and created on
ac7d03
both server and replica install. This fixes errors caused during replica
ac7d03
installation against older master that do not have anonymous principal
ac7d03
present.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6799
ac7d03
ac7d03
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
---
ac7d03
 ipaserver/install/krbinstance.py | 17 +++++++++++++----
ac7d03
 1 file changed, 13 insertions(+), 4 deletions(-)
ac7d03
ac7d03
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
ac7d03
index 5f4b5282f54234c15b1a8d8273eff69e134e665b..6c105f74c8da2bfd34ace607b13170bc96a8ff1d 100644
ac7d03
--- a/ipaserver/install/krbinstance.py
ac7d03
+++ b/ipaserver/install/krbinstance.py
ac7d03
@@ -33,7 +33,7 @@ from ipaserver.install import installutils
ac7d03
 from ipapython import ipaldap
ac7d03
 from ipapython import ipautil
ac7d03
 from ipapython import kernel_keyring
ac7d03
-from ipalib import api
ac7d03
+from ipalib import api, errors
ac7d03
 from ipalib.constants import ANON_USER
ac7d03
 from ipalib.install import certmonger
ac7d03
 from ipapython.ipa_log_manager import root_logger
ac7d03
@@ -142,6 +142,7 @@ class KrbInstance(service.Service):
ac7d03
             pass
ac7d03
 
ac7d03
     def __common_post_setup(self):
ac7d03
+        self.step("creating anonymous principal", self.add_anonymous_principal)
ac7d03
         self.step("starting the KDC", self.__start_instance)
ac7d03
         self.step("configuring KDC to start on boot", self.__enable)
ac7d03
 
ac7d03
@@ -160,7 +161,6 @@ class KrbInstance(service.Service):
ac7d03
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
ac7d03
         self.step("creating a keytab for the machine", self.__create_host_keytab)
ac7d03
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
ac7d03
-        self.step("creating anonymous principal", self.add_anonymous_principal)
ac7d03
 
ac7d03
         self.__common_post_setup()
ac7d03
 
ac7d03
@@ -432,8 +432,17 @@ class KrbInstance(service.Service):
ac7d03
     def add_anonymous_principal(self):
ac7d03
         # Create the special anonymous principal
ac7d03
         princ_realm = self.get_anonymous_principal_name()
ac7d03
-        installutils.kadmin_addprinc(princ_realm)
ac7d03
-        self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
ac7d03
+        dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
ac7d03
+        try:
ac7d03
+            self.api.Backend.ldap2.get_entry(dn)
ac7d03
+        except errors.NotFound:
ac7d03
+            installutils.kadmin_addprinc(princ_realm)
ac7d03
+            self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
ac7d03
+
ac7d03
+        try:
ac7d03
+            self.api.Backend.ldap2.set_entry_active(dn, True)
ac7d03
+        except errors.AlreadyActive:
ac7d03
+            pass
ac7d03
 
ac7d03
     def __convert_to_gssapi_replication(self):
ac7d03
         repl = replication.ReplicationManager(self.realm,
ac7d03
-- 
ac7d03
2.12.2
ac7d03