URL: https://github.com/freeipa/freeipa/pull/754 Author: flo-renaud Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Action: opened
PR body: """ ipa-server-install with external CA fails to issue pkinit certs. This happens because the installer calls krb = krbinstance.KrbInstance(fstore) then krb.enable_ssl() and in this code path self.config_pkinit is set to None, leading to a wrong code path. The fix initializes the required fields of the krbinstance before calling krb.enable_ssl. https://pagure.io/freeipa/issue/6921 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/754/head:pr754 git checkout pr754
From fa9a5107bbdccaa2d7f4788c4a452bc403e336c2 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 3 May 2017 10:21:12 +0200 Subject: [PATCH] ipa-server-install with external CA: fix pkinit cert issuance ipa-server-install with external CA fails to issue pkinit certs. This happens because the installer calls krb = krbinstance.KrbInstance(fstore) then krb.enable_ssl() and in this code path self.config_pkinit is set to None, leading to a wrong code path. The fix initializes the required fields of the krbinstance before calling krb.enable_ssl. https://pagure.io/freeipa/issue/6921 --- ipaserver/install/krbinstance.py | 8 ++++++++ ipaserver/install/server/install.py | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 76ac302..2f14ff5 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -108,6 +108,14 @@ def __init__(self, fstore=None): suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') + def init_info(self, realm_name, host_name, setup_pkinit=False, + subject_base=None): + self.fqdn = host_name + self.realm = realm_name + self.suffix = ipautil.realm_to_suffix(realm_name) + self.subject_base = subject_base + self.config_pkinit = setup_pkinit + def get_realm_suffix(self): return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b360e05..0ce60e9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -768,6 +768,10 @@ def install(installer): setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) + else: + krb.init_info(realm_name, host_name, + setup_pkinit=not options.no_pkinit, + subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
