diff options
| author | Simo Sorce <simo@redhat.com> | 2017-03-09 12:49:54 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2017-03-09 12:49:54 -0500 |
| commit | d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa (patch) | |
| tree | 3de2c452f691d288a08243743cf82071912a3082 | |
| parent | 8fb61a55fe32438752567bde8af73d6b8230a386 (diff) | |
| download | freeipa-replica_kdc.tar.gz freeipa-replica_kdc.tar.xz freeipa-replica_kdc.zip | |
Configure KDC to use certs after they are deployedreplica_kdc
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | install/share/kdc.conf.template | 4 | ||||
| -rw-r--r-- | ipaserver/install/krbinstance.py | 19 |
2 files changed, 18 insertions, 5 deletions
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index ec53a1ff5..c9d5c2829 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_CERT,$KDC_KEY - pkinit_anchors = FILE:$CACERT_PEM +$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY +$NOPK pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803cab6..04246ded9 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -139,7 +139,6 @@ class KrbInstance(service.Service): pass def __common_post_setup(self): - self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): @@ -157,6 +156,7 @@ class KrbInstance(service.Service): self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("creating anonymous principal", self.add_anonymous_principal) + self.step("starting the KDC", self.__start_instance) self.__common_post_setup() @@ -183,6 +183,8 @@ class KrbInstance(service.Service): self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + self.step("starting the KDC", self.__start_instance) + if setup_pkinit: self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) @@ -220,6 +222,7 @@ class KrbInstance(service.Service): KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + NOPK=';', KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) @@ -255,11 +258,12 @@ class KrbInstance(service.Service): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) - def __template_file(self, path, chmod=0o644): + def __template_file(self, path, chmod=0o644, backup=True): template = os.path.join(paths.USR_SHARE_IPA_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) - self.fstore.backup_file(path) + if backup: + self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -377,6 +381,15 @@ class KrbInstance(service.Service): # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + # Now modify configuration to add pkinit anchors and restart KDC + self.sub_dict['NOPK'] = '' + self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False) + try: + self.stop() + self.start() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) |