Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

4 files changed, 50 insertions, 14 deletions

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 0237702cc..28cdd066a 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -501,8 +501,8 @@ class ServerInstallInterface(client.ClientInstallInterface,
                         "You must specify at least one of --forwarder, "
                         "--auto-forwarders, or --no-forwarders options")
 
-        # Automatically disable pkinit w/ dogtag until that is supported
-        self.no_pkinit = True
+        # Automatically enable pkinit w/ dogtag
+        self.no_pkinit = not self.setup_ca
 
 
 ServerMasterInstallInterface = installs_master(ServerInstallInterface)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index f81c202cc..b5b9cb48a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -521,6 +521,11 @@ def install_check(installer):
         dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
 
     if options.pkinit_cert_files:
+        if not options.no_pkinit:
+            raise ScriptError("Cannot create KDC PKINIT certificate and use "
+                              "provided external PKINIT certificate at the "
+                              "same time. Please choose one of them.")
+
         if options.pkinit_pin is None:
             options.pkinit_pin = read_password(
                 "Enter Kerberos KDC private key unlock",
@@ -792,17 +797,11 @@ def install(installer):
     ds.enable_ssl()
 
     krb = krbinstance.KrbInstance(fstore)
-    if options.pkinit_cert_files:
-        krb.create_instance(realm_name, host_name, domain_name,
-                            dm_password, master_password,
-                            setup_pkinit=not options.no_pkinit,
-                            pkcs12_info=pkinit_pkcs12_info,
-                            subject_base=options.subject)
-    else:
-        krb.create_instance(realm_name, host_name, domain_name,
-                            dm_password, master_password,
-                            setup_pkinit=not options.no_pkinit,
-                            subject_base=options.subject)
+    krb.create_instance(realm_name, host_name, domain_name,
+                        dm_password, master_password,
+                        setup_pkinit=not options.no_pkinit,
+                        pkcs12_info=pkinit_pkcs12_info,
+                        subject_base=options.subject)
 
     # restart DS to enable ipa-pwd-extop plugin
     print("Restarting directory server to enable password extension plugin")
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 06d209e23..b0cf28f0f 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -124,7 +124,9 @@ def install_krb(config, setup_pkinit=False, promote=False):
     krb.create_replica(config.realm_name,
                        config.master_host_name, config.host_name,
                        config.domain_name, config.dirman_password,
-                       setup_pkinit, pkcs12_info, promote=promote)
+                       setup_pkinit, pkcs12_info,
+                       subject_base=config.subject_base,
+                       promote=promote)
 
     return krb
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 245450701..0ebe9af24 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@ from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
+from ipaserver.install import krbinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -1492,6 +1493,20 @@ def add_default_caacl(ca):
     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
 
 
+def enable_anonymous_principal(krb):
+    princ_realm = krb.get_anonymous_principal_name()
+    dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix())
+    try:
+        _ = api.Backend.ldap2.get_entry(dn)  # pylint: disable=unused-variable
+    except ipalib.errors.NotFound:
+        krb.add_anonymous_principal()
+
+    try:
+        api.Backend.ldap2.set_entry_active(dn, True)
+    except ipalib.errors.AlreadyActive:
+        pass
+
+
 def upgrade_configuration():
     """
     Execute configuration upgrade of the IPA services
@@ -1735,6 +1750,26 @@ def upgrade_configuration():
 
     set_sssd_domain_option('ipa_server_mode', 'True')
 
+    krb = krbinstance.KrbInstance(fstore)
+    krb.fqdn = fqdn
+    krb.realm = api.env.realm
+    krb.suffix = ipautil.realm_to_suffix(krb.realm)
+    krb.subject_base = subject_base
+    if not os.path.exists(paths.KDC_CERT):
+        krb.setup_pkinit()
+        replacevars = dict()
+        replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
+            paths.KDC_CERT,paths.KDC_KEY)
+        appendvars = {}
+        ipautil.backup_config_and_replace_variables(
+            fstore, paths.KRB5KDC_KDC_CONF, replacevars=replacevars,
+            appendvars=appendvars)
+        tasks.restore_context(paths.KRB5KDC_KDC_CONF)
+        if krb.is_running():
+            krb.stop()
+        krb.start()
+    enable_anonymous_principal(krb)
+
     if not ds_running:
         ds.stop(ds_serverid)