[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/631
Author: martbab
 Title: #631: Upgrade: configure PKINIT after adding anonymous principal
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/631/head:pr631
git checkout pr631

From 280d2949e6fcde67354aaf0ecd7b2eacf4b0b097 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous
 principal

In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/server/upgrade.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
                         CACERT_PEM=paths.CACERT_PEM)
-    setup_pkinit(krb)
     enable_anonymous_principal(krb)
     http.request_anon_keytab()
+    setup_pkinit(krb)
 
     if not ds_running:
         ds.stop(ds_serverid)

From 9719d674bb7ab79a2019d82aebc750a80ba7f635 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT
 handling

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/krbinstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
         with ipautil.private_ccache() as anon_ccache:
             try:
                 ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-            except ipautil.CalledProcessError as e:
+            except ipautil.CalledProcessError:
                 raise RuntimeError("Failed to configure anonymous PKINIT")
 
     def enable_ssl(self):

From 3a241ab63883cec399b4d57f65628901aeff4523 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/4] Split out anonymous PKINIT test to a spearate method

This allows for more flexibility in the whole PKINIT setup process.

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/krbinstance.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
             root_logger.critical("krb5kdc service failed to restart")
             raise
 
+    def test_anonymous_pkinit(self):
         with ipautil.private_ccache() as anon_ccache:
             try:
                 ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
             self.steps = []
             self.step("installing X509 Certificate for PKINIT",
                       self.setup_pkinit)
+            self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
 
             self.start_creation()
 

From e12c9eb32900a086d26411b8a243bfca83048eca Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/server/upgrade.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
 def setup_pkinit(krb):
     root_logger.info("[Setup PKINIT]")
 
-    if os.path.exists(paths.KDC_CERT):
-        root_logger.info("PKINIT already set up")
-        return
-
     if not api.Command.ca_is_enabled()['result']:
         root_logger.info("CA is not enabled")
         return
 
-    krb.setup_pkinit()
+    if not os.path.exists(paths.KDC_CERT):
+        root_logger.info("Requesting PKINIT certificate")
+        krb.setup_pkinit()
+
     replacevars = dict()
     replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
         paths.KDC_CERT,paths.KDC_KEY)
@@ -1519,6 +1518,7 @@ def setup_pkinit(krb):
     if krb.is_running():
         krb.stop()
     krb.start()
+    krb.test_anonymous_pkinit()
 
 
 def disable_httpd_system_trust(http):

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code