diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-15 14:04:56 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
commit | a1686a90c0cc8c16c89ef1bada7f507729bf3252 (patch) | |
tree | 7f49024165bf0da794c0e24ba70c276437789581 | |
parent | b45629fc480e61464b402ac2fc52c6f9fc61df0e (diff) | |
download | freeipa-a1686a90c0cc8c16c89ef1bada7f507729bf3252.tar.gz freeipa-a1686a90c0cc8c16c89ef1bada7f507729bf3252.tar.xz freeipa-a1686a90c0cc8c16c89ef1bada7f507729bf3252.zip |
Try out anonymous PKINIT after it is configured
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/install/krbinstance.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 36d15886b..d936cc5f4 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -410,6 +410,12 @@ class KrbInstance(service.Service): root_logger.critical("krb5kdc service failed to restart") raise + with ipautil.private_ccache() as anon_ccache: + try: + ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to configure anonymous PKINIT") + def enable_ssl(self): if self.config_pkinit: self.steps = [] |