diff options
-rw-r--r-- | install/share/kdc.conf.template | 4 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 19 |
2 files changed, 18 insertions, 5 deletions
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index ec53a1ff5..c9d5c2829 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_CERT,$KDC_KEY - pkinit_anchors = FILE:$CACERT_PEM +$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY +$NOPK pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803cab6..04246ded9 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -139,7 +139,6 @@ class KrbInstance(service.Service): pass def __common_post_setup(self): - self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): @@ -157,6 +156,7 @@ class KrbInstance(service.Service): self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("creating anonymous principal", self.add_anonymous_principal) + self.step("starting the KDC", self.__start_instance) self.__common_post_setup() @@ -183,6 +183,8 @@ class KrbInstance(service.Service): self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + self.step("starting the KDC", self.__start_instance) + if setup_pkinit: self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) @@ -220,6 +222,7 @@ class KrbInstance(service.Service): KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + NOPK=';', KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) @@ -255,11 +258,12 @@ class KrbInstance(service.Service): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) - def __template_file(self, path, chmod=0o644): + def __template_file(self, path, chmod=0o644, backup=True): template = os.path.join(paths.USR_SHARE_IPA_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) - self.fstore.backup_file(path) + if backup: + self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -377,6 +381,15 @@ class KrbInstance(service.Service): # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + # Now modify configuration to add pkinit anchors and restart KDC + self.sub_dict['NOPK'] = '' + self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False) + try: + self.stop() + self.start() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) |