From 1815435956746814362ddafca4f7a967e8886d90 Mon Sep 17 00:00:00 2001

From: Petr Vobornik <pvoborni@redhat.com>

Date: Tue, 25 Apr 2017 17:19:36 +0200

Subject: [PATCH] kerberos session: use CA cert with full cert chain for

 obtaining cookie

Http request performed in finalize_kerberos_acquisition doesn't use

CA certificate/certificate store with full certificate chain of IPA server.

So it might happen that in case that IPA is installed with externally signed

CA certificate, the call can fail because of certificate validation

and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,

but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 ipaserver/rpcserver.py | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py

index 161872450d141a61af4345a20e278db728fe2aac..996a3d29884ca0180c39841f6986abf9b23ff13a 100644

--- a/ipaserver/rpcserver.py

+++ b/ipaserver/rpcserver.py

@@ -602,7 +602,8 @@ class KerberosSession(HTTP_Status):

         try:

             target = self.api.env.host

             r = requests.get('http://{0}/ipa/session/cookie'.format(target),

-                             auth=NegotiateAuth(target, ccache_name))

+                             auth=NegotiateAuth(target, ccache_name),

+                             verify=paths.IPA_CA_CRT)

             session_cookie = r.cookies.get("ipa_session")

             if not session_cookie:

                 raise ValueError('No session cookie found')

-- 

2.12.2