|
 |
483b06 |
From 1815435956746814362ddafca4f7a967e8886d90 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Petr Vobornik <pvoborni@redhat.com>
|
|
|
483b06 |
Date: Tue, 25 Apr 2017 17:19:36 +0200
|
|
|
483b06 |
Subject: [PATCH] kerberos session: use CA cert with full cert chain for
|
|
|
483b06 |
obtaining cookie
|
|
|
483b06 |
|
|
|
483b06 |
Http request performed in finalize_kerberos_acquisition doesn't use
|
|
|
483b06 |
CA certificate/certificate store with full certificate chain of IPA server.
|
|
|
483b06 |
So it might happen that in case that IPA is installed with externally signed
|
|
|
483b06 |
CA certificate, the call can fail because of certificate validation
|
|
|
483b06 |
and e.g. prevent session acquisition.
|
|
|
483b06 |
|
|
|
483b06 |
If it will fail for sure is not known - the use case was not discovered,
|
|
|
483b06 |
but it is faster and safer to fix preemptively.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6876
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaserver/rpcserver.py | 3 ++-
|
|
|
483b06 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
|
483b06 |
index 161872450d141a61af4345a20e278db728fe2aac..996a3d29884ca0180c39841f6986abf9b23ff13a 100644
|
|
|
483b06 |
--- a/ipaserver/rpcserver.py
|
|
|
483b06 |
+++ b/ipaserver/rpcserver.py
|
|
|
483b06 |
@@ -602,7 +602,8 @@ class KerberosSession(HTTP_Status):
|
|
|
483b06 |
try:
|
|
|
483b06 |
target = self.api.env.host
|
|
|
483b06 |
r = requests.get('http://{0}/ipa/session/cookie'.format(target),
|
|
|
483b06 |
- auth=NegotiateAuth(target, ccache_name))
|
|
|
483b06 |
+ auth=NegotiateAuth(target, ccache_name),
|
|
|
483b06 |
+ verify=paths.IPA_CA_CRT)
|
|
|
483b06 |
session_cookie = r.cookies.get("ipa_session")
|
|
|
483b06 |
if not session_cookie:
|
|
|
483b06 |
raise ValueError('No session cookie found')
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|