[Freeipa-devel] [freeipa PR#564][synchronized] Reconfigure Kerberos library config as the last step of KDC install

Thu, 09 Mar 2017 09:22:00 -0800 

   URL: https://github.com/freeipa/freeipa/pull/564
Author: martbab
 Title: #564: Reconfigure Kerberos library config as the last step of KDC 
install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/564/head:pr564
git checkout pr564

From eb8be8a9d93962292a5dcf2c27875a7c95e68f7d Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 9 Mar 2017 18:15:21 +0100
Subject: [PATCH] Reconfigure Kerberos library config as the last step of KDC
 install

During KDC installation, we overwrite the existing `/etc/krb5.conf` file
from client version to use only local KDC for client requests. However,
this means that services such as certmonger may try to kinit against
local KDC before it is up and running, resulting in subtle but serious
bugs.

The file should be updated only when KDC is set up properly and running.

https://pagure.io/freeipa/issue/6739
---
 ipaserver/install/krbinstance.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 79803ca..e4ed5d5 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -139,6 +139,8 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
             pass
 
     def __common_post_setup(self):
+        self.step("configuring Kerberos library to use local KDC",
+                  self.__configure_krb5_conf)
         self.step("starting the KDC", self.__start_instance)
         self.step("configuring KDC to start on boot", self.__enable)
 
@@ -287,7 +289,6 @@ def __init_ipa_kdb(self):
 
     def __configure_instance(self):
         self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
-        self.__template_file(paths.KRB5_CONF)
         self.__template_file(paths.HTML_KRB5_INI)
         self.__template_file(paths.KRB_CON)
         self.__template_file(paths.HTML_KRBREALM_CON)
@@ -314,6 +315,9 @@ def __configure_instance(self):
                                                     appendvars=appendvars)
         tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
 
+    def __configure_krb5_conf(self):
+        self.__template_file(paths.KRB5_CONF)
+
     #add the password extop module
     def __add_pwd_extop_module(self):
         self._ldap_mod("pwd-extop-conf.ldif", self.sub_dict)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to