[Freeipa-devel] [freeipa PR#567][synchronized] Configure KDC to use certs after they are deployed

Fri, 10 Mar 2017 04:47:38 -0800 

   URL: https://github.com/freeipa/freeipa/pull/567
Author: simo5
 Title: #567: Configure KDC to use certs after they are deployed
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/567/head:pr567
git checkout pr567

From 5758f8aad74b043d3d2e9b76c92cc5fbd66b5976 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Thu, 9 Mar 2017 12:49:54 -0500
Subject: [PATCH] Configure KDC to use certs after they are deployed

Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.

Signed-off-by: Simo Sorce <s...@redhat.com>
---
 install/share/kdc.conf.template  |  4 ++--
 ipaserver/install/krbinstance.py | 28 +++++++++++++++++++---------
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index ec53a1f..c9d5c28 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
-  pkinit_anchors = FILE:$CACERT_PEM
+$NOPK  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
+$NOPK  pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 79803ca..b92c436 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -68,6 +68,7 @@ def __init__(self, fstore=None):
         self.kdc_password = None
         self.sub_dict = None
         self.pkcs12_info = None
+        self.config_pkinit = None
 
     suffix = ipautil.dn_attribute_property('_suffix')
     subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -140,12 +141,16 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
 
     def __common_post_setup(self):
         self.step("starting the KDC", self.__start_instance)
+        if self.config_pkinit:
+            self.step("installing X509 Certificate for PKINIT",
+                      self.setup_pkinit)
         self.step("configuring KDC to start on boot", self.__enable)
 
     def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None):
         self.master_password = master_password
         self.pkcs12_info = pkcs12_info
         self.subject_base = subject_base
+        self.config_pkinit = setup_pkinit
 
         self.__common_setup(realm_name, host_name, domain_name, admin_password)
 
@@ -160,10 +165,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma
 
         self.__common_post_setup()
 
-        if setup_pkinit:
-            self.step("installing X509 Certificate for PKINIT",
-                      self.setup_pkinit)
-
         self.start_creation(runtime=30)
 
         self.kpasswd = KpasswdInstance()
@@ -178,14 +179,12 @@ def create_replica(self, realm_name,
         self.pkcs12_info = pkcs12_info
         self.subject_base = subject_base
         self.master_fqdn = master_fqdn
+        self.config_pkinit = setup_pkinit
 
         self.__common_setup(realm_name, host_name, domain_name, admin_password)
 
         self.step("configuring KDC", self.__configure_instance)
         self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
-        if setup_pkinit:
-            self.step("installing X509 Certificate for PKINIT",
-                      self.setup_pkinit)
 
         self.__common_post_setup()
 
@@ -220,6 +219,7 @@ def __setup_sub_dict(self):
                              KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
                              DICT_WORDS=paths.DICT_WORDS,
                              KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
+                             NOPK=';',
                              KDC_CERT=paths.KDC_CERT,
                              KDC_KEY=paths.KDC_KEY,
                              CACERT_PEM=paths.CACERT_PEM)
@@ -255,11 +255,12 @@ def __add_krb_container(self):
     def __add_default_acis(self):
         self._ldap_mod("default-aci.ldif", self.sub_dict)
 
-    def __template_file(self, path, chmod=0o644):
+    def __template_file(self, path, chmod=0o644, backup=True):
         template = os.path.join(paths.USR_SHARE_IPA_DIR,
                                 os.path.basename(path) + ".template")
         conf = ipautil.template_file(template, self.sub_dict)
-        self.fstore.backup_file(path)
+        if backup:
+            self.fstore.backup_file(path)
         fd = open(path, "w+")
         fd.write(conf)
         fd.close()
@@ -377,6 +378,15 @@ def setup_pkinit(self):
         # have any selinux issues with the file context
         shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
 
+        # Now modify configuration to add pkinit anchors and restart KDC
+        self.sub_dict['NOPK'] = ''
+        self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False)
+        try:
+            self.restart()
+        except Exception:
+            root_logger.critical("krb5kdc service failed to restart")
+            raise
+
     def get_anonymous_principal_name(self):
         return "%s@%s" % (ANON_USER, self.realm)
 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to