From 52855f472ea918534d50743af4a2b512661fdd95 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 3 Aug 2020 18:52:07 +0200
Subject: [PATCH] CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a666c0918afad81e35f49387ffc32cde60484c5d..3aede9016eb6de38d43a84cb6997cb69987c4eb2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -527,6 +527,8 @@ class KrbInstance(service.Service):
certs.install_pem_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_CERT)
+ # The KDC cert needs to be readable by everyone
+ os.chmod(paths.KDC_CERT, 0o644)
certs.install_key_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_KEY)
--
2.26.2