From aa123edfdab1836c0915bb75f3bf82e46083b17f Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Wed, 28 Jun 2017 09:49:18 +0200

Subject: [PATCH] smart-card-advises: ensure that krb5-pkinit is installed on

 client

This library is a prerequisite for successful Smart Card authentication

on the client. The client-side advise should make sure this dependency

is present.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/advise/plugins/smart_card_auth.py | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py

index 5134db535e8f10e8cf850dbf0696b679aacec4f5..fb328f29ca5051ad52c9c5e0000021ad5e8b94e8 100644

--- a/ipaserver/advise/plugins/smart_card_auth.py

+++ b/ipaserver/advise/plugins/smart_card_auth.py

@@ -256,6 +256,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):

         self.check_ccache_not_empty()

         self.check_and_remove_pam_pkcs11()

         self.install_opensc_and_dconf_packages()

+        self.install_krb5_client_dependencies()

         self.start_enable_smartcard_daemon()

         self.add_pkcs11_module_to_systemwide_db()

         self.upload_smartcard_ca_certificates_to_systemwide_db()

@@ -281,6 +282,12 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):

             ['Could not install OpenSC package']

         )

+    def install_krb5_client_dependencies(self):

+        self.log.exit_on_failed_command(

+            'yum install -y krb5-pkinit-openssl',

+            ['Failed to install Kerberos client PKINIT extensions.']

+        )

+

     def start_enable_smartcard_daemon(self):

         self.log.command(

             'systemctl start {service} {socket} '

-- 

2.9.4