summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/server
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2016-07-26 11:19:01 -0400
committerSimo Sorce <simo@redhat.com>2016-12-08 19:54:30 -0500
commite17438cca414b1bc7a5c21da502550a520f25a67 (patch)
treee387e32f96a2893a1729a738cf7350b4b5a7611b /ipaserver/install/server
parentfad87a9962ee33cfebc4fa59aba589e98b076cea (diff)
downloadfreeipa-kdc-pkinit.tar.gz
freeipa-kdc-pkinit.tar.xz
freeipa-kdc-pkinit.zip
Configure Anonymous PKINIT on server installkdc-pkinit
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
-rw-r--r--ipaserver/install/server/__init__.py4
-rw-r--r--ipaserver/install/server/install.py21
-rw-r--r--ipaserver/install/server/replicainstall.py4
-rw-r--r--ipaserver/install/server/upgrade.py35
4 files changed, 50 insertions, 14 deletions
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 0237702cc..28cdd066a 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -501,8 +501,8 @@ class ServerInstallInterface(client.ClientInstallInterface,
"You must specify at least one of --forwarder, "
"--auto-forwarders, or --no-forwarders options")
- # Automatically disable pkinit w/ dogtag until that is supported
- self.no_pkinit = True
+ # Automatically enable pkinit w/ dogtag
+ self.no_pkinit = not self.setup_ca
ServerMasterInstallInterface = installs_master(ServerInstallInterface)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index f81c202cc..b5b9cb48a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -521,6 +521,11 @@ def install_check(installer):
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
if options.pkinit_cert_files:
+ if not options.no_pkinit:
+ raise ScriptError("Cannot create KDC PKINIT certificate and use "
+ "provided external PKINIT certificate at the "
+ "same time. Please choose one of them.")
+
if options.pkinit_pin is None:
options.pkinit_pin = read_password(
"Enter Kerberos KDC private key unlock",
@@ -792,17 +797,11 @@ def install(installer):
ds.enable_ssl()
krb = krbinstance.KrbInstance(fstore)
- if options.pkinit_cert_files:
- krb.create_instance(realm_name, host_name, domain_name,
- dm_password, master_password,
- setup_pkinit=not options.no_pkinit,
- pkcs12_info=pkinit_pkcs12_info,
- subject_base=options.subject)
- else:
- krb.create_instance(realm_name, host_name, domain_name,
- dm_password, master_password,
- setup_pkinit=not options.no_pkinit,
- subject_base=options.subject)
+ krb.create_instance(realm_name, host_name, domain_name,
+ dm_password, master_password,
+ setup_pkinit=not options.no_pkinit,
+ pkcs12_info=pkinit_pkcs12_info,
+ subject_base=options.subject)
# restart DS to enable ipa-pwd-extop plugin
print("Restarting directory server to enable password extension plugin")
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f1f7b1bf8..0cd346849 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -124,7 +124,9 @@ def install_krb(config, setup_pkinit=False, promote=False):
krb.create_replica(config.realm_name,
config.master_host_name, config.host_name,
config.domain_name, config.dirman_password,
- setup_pkinit, pkcs12_info, promote=promote)
+ setup_pkinit, pkcs12_info,
+ subject_base=config.subject_base,
+ promote=promote)
return krb
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 245450701..5056f833e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@ from ipaserver.install import sysupgrade
from ipaserver.install import dnskeysyncinstance
from ipaserver.install import krainstance
from ipaserver.install import dogtaginstance
+from ipaserver.install import krbinstance
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax
@@ -1492,6 +1493,20 @@ def add_default_caacl(ca):
sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
+def enable_anonymous_principal(krb):
+ princ_realm = krb.get_anonymous_principal()
+ dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix())
+ try:
+ _ = api.Backend.ldap2.get_entry(dn) # pylint: disable=unused-variable
+ except ipalib.errors.NotFound:
+ installutils.kadmin_addprinc(princ_realm)
+
+ try:
+ api.Backend.ldap2.set_entry_active(dn, True)
+ except ipalib.errors.AlreadyActive:
+ pass
+
+
def upgrade_configuration():
"""
Execute configuration upgrade of the IPA services
@@ -1735,6 +1750,26 @@ def upgrade_configuration():
set_sssd_domain_option('ipa_server_mode', 'True')
+ krb = krbinstance.KrbInstance(fstore)
+ krb.fqdn = fqdn
+ krb.realm = api.env.realm
+ krb.suffix = ipautil.realm_to_suffix(krb.realm)
+ krb.subject_base = subject_base
+ if not os.path.exists(paths.KDC_CERT):
+ krb.setup_pkinit()
+ enable_anonymous_principal(krb)
+ replacevars = dict()
+ replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
+ paths.KDC_CERT,paths.KDC_KEY)
+ appendvars = {}
+ ipautil.backup_config_and_replace_variables(
+ fstore, paths.KRB5KDC_KDC_CONF, replacevars=replacevars,
+ appendvars=appendvars)
+ tasks.restore_context(paths.KRB5KDC_KDC_CONF)
+ if krb.is_running():
+ krb.stop()
+ krb.start()
+
if not ds_running:
ds.stop(ds_serverid)
generated by cgit (git 2.34.1) at 2026-01-13 02:59:30 +0000