1 files changed, 20 insertions, 10 deletions

diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 84f8ebf2..df403471 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -87,6 +87,8 @@ class KrbInstance:
 
         self.__create_http_keytab()
 
+        self.__set_kadmin_changepw_preauth()
+
         self.__create_sample_bind_zone()
 
         self.start()
@@ -148,19 +150,19 @@ class KrbInstance:
 
     # TODO: NOT called yet, need to find out how to make sure the plugin is available first
     def __add_pwd_extop_module(self):
-	#add the password extop module
-	extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
-	extop_fd = write_tmp_file(extop_txt)
-	ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
-	extop_fd.close()
-
-	#add an ACL to let the DS user read the master key
-	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
-	run(args)
+        #add the password extop module
+        extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
+        extop_fd = write_tmp_file(extop_txt)
+        ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+        extop_fd.close()
+
+        #add an ACL to let the DS user read the master key
+        args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
+        run(args)
 
     def __create_sample_bind_zone(self):
         bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
-        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
+        [bind_fd, bind_name] = tempfile.mkstemp(".db","sammple.zone.")
         os.write(bind_fd, bind_txt)
         os.close(bind_fd)
         print "Sample zone file for bind has been created in "+bind_name
@@ -181,6 +183,14 @@ class KrbInstance:
 	pent = pwd.getpwnam(self.ds_user)
         os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
 
+    def __set_kadmin_changepw_preauth(self):
+        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+        kwrite.write("modprinc +requires_preauth kadmin/changepw\n")
+        kwrite.flush()
+        kwrite.close()
+        kread.close()
+        kerr.close()
+
     def __create_http_keytab(self):
         (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
         kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")