URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: opened
PR body: """ Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567
From d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 9 Mar 2017 12:49:54 -0500 Subject: [PATCH] Configure KDC to use certs after they are deployed Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/kdc.conf.template | 4 ++-- ipaserver/install/krbinstance.py | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index ec53a1f..c9d5c28 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_CERT,$KDC_KEY - pkinit_anchors = FILE:$CACERT_PEM +$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY +$NOPK pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803ca..04246de 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -139,7 +139,6 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): pass def __common_post_setup(self): - self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): @@ -157,6 +156,7 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("creating anonymous principal", self.add_anonymous_principal) + self.step("starting the KDC", self.__start_instance) self.__common_post_setup() @@ -183,6 +183,8 @@ def create_replica(self, realm_name, self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + self.step("starting the KDC", self.__start_instance) + if setup_pkinit: self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) @@ -220,6 +222,7 @@ def __setup_sub_dict(self): KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + NOPK=';', KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) @@ -255,11 +258,12 @@ def __add_krb_container(self): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) - def __template_file(self, path, chmod=0o644): + def __template_file(self, path, chmod=0o644, backup=True): template = os.path.join(paths.USR_SHARE_IPA_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) - self.fstore.backup_file(path) + if backup: + self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -377,6 +381,15 @@ def setup_pkinit(self): # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + # Now modify configuration to add pkinit anchors and restart KDC + self.sub_dict['NOPK'] = '' + self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False) + try: + self.stop() + self.start() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code