Do not test anonymous PKINIT after install/upgrade

Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

2 files changed, 0 insertions, 10 deletions

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index ad3475f95..76ac3029c 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -475,13 +475,6 @@ class KrbInstance(service.Service):
         elif self.config_pkinit:
             self.issue_ipa_ca_signed_pkinit_certs()
 
-    def test_anonymous_pkinit(self):
-        with ipautil.private_ccache() as anon_ccache:
-            try:
-                ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-            except ipautil.CalledProcessError:
-                raise RuntimeError("Failed to configure anonymous PKINIT")
-
     def enable_ssl(self):
         """
         generate PKINIT certificate for KDC. If `--no-pkinit` was specified,
@@ -496,8 +489,6 @@ class KrbInstance(service.Service):
             self.steps = []
             self.step("installing X509 Certificate for PKINIT",
                       self.setup_pkinit)
-            self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
-
             self.start_creation()
         else:
             self.issue_selfsigned_pkinit_certs()
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 8da918114..0f27428dd 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1507,7 +1507,6 @@ def setup_pkinit(krb):
     if krb.is_running():
         krb.stop()
     krb.start()
-    krb.test_anonymous_pkinit()
 
 
 def disable_httpd_system_trust(http):