URL: https://github.com/freeipa/freeipa/pull/666 Author: martbab Title: #666: Fix anonymous principal handling in replica install Action: opened
PR body: """ This PR should unblock replica install against <4.5 masters if `--no-pkinit` option is given. Be aware of the non-working WebUI after install, this will be fixed once local PKINIT will be implemented. Requires https://github.com/freeipa/freeipa/pull/631 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/666/head:pr666 git checkout pr666
From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Tue, 21 Mar 2017 17:03:35 +0100 Subject: [PATCH 1/6] Upgrade: configure PKINIT after adding anonymous principal In order to set up PKINIT, the anonymous principal must already be created, otherwise the upgrade with fail when trying out anonymous PKINIT. Switch the order of steps so that this issue does not occur. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..be07d78 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1809,9 +1809,9 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) - setup_pkinit(krb) enable_anonymous_principal(krb) http.request_anon_keytab() + setup_pkinit(krb) if not ds_running: ds.stop(ds_serverid) From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 10:01:34 +0100 Subject: [PATCH 2/6] Remove unused variable from failed anonymous PKINIT handling https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d936cc5..c817076 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -413,7 +413,7 @@ def setup_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) - except ipautil.CalledProcessError as e: + except ipautil.CalledProcessError: raise RuntimeError("Failed to configure anonymous PKINIT") def enable_ssl(self): From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 10:04:52 +0100 Subject: [PATCH 3/6] Split out anonymous PKINIT test to a separate method This allows for more flexibility in the whole PKINIT setup process. https://pagure.io/freeipa/issue/6792 --- ipaserver/install/krbinstance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c817076..5f4b528 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -410,6 +410,7 @@ def setup_pkinit(self): root_logger.critical("krb5kdc service failed to restart") raise + def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) @@ -421,6 +422,7 @@ def enable_ssl(self): self.steps = [] self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) + self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) self.start_creation() From a2ecdb818ef9e3f8dc2bb97688c894c900009ca9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 11:56:18 +0100 Subject: [PATCH 4/6] Ensure KDC is propery configured after upgrade https://pagure.io/freeipa/issue/6792 --- ipaserver/install/server/upgrade.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index be07d78..0db764c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") - if os.path.exists(paths.KDC_CERT): - root_logger.info("PKINIT already set up") - return - if not api.Command.ca_is_enabled()['result']: root_logger.info("CA is not enabled") return - krb.setup_pkinit() + if not os.path.exists(paths.KDC_CERT): + root_logger.info("Requesting PKINIT certificate") + krb.setup_pkinit() + replacevars = dict() replacevars['pkinit_identity'] = 'FILE:{},{}'.format( paths.KDC_CERT,paths.KDC_KEY) @@ -1519,6 +1518,7 @@ def setup_pkinit(krb): if krb.is_running(): krb.stop() krb.start() + krb.test_anonymous_pkinit() def disable_httpd_system_trust(http): From fb65404aa0f13fde9c7cc99c31b1976ded2cfb71 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 16:41:59 +0100 Subject: [PATCH 5/6] Always check and create anonymous principal during KDC install The anonymous principal will now be checked for presence and created on both server and replica install. This fixes errors caused during replica installation against older master that do not have anonymous principal present. https://pagure.io/freeipa/issue/6799 --- ipaserver/install/krbinstance.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 5f4b528..6c105f7 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -33,7 +33,7 @@ from ipapython import ipaldap from ipapython import ipautil from ipapython import kernel_keyring -from ipalib import api +from ipalib import api, errors from ipalib.constants import ANON_USER from ipalib.install import certmonger from ipapython.ipa_log_manager import root_logger @@ -142,6 +142,7 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): pass def __common_post_setup(self): + self.step("creating anonymous principal", self.add_anonymous_principal) self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) @@ -160,7 +161,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - self.step("creating anonymous principal", self.add_anonymous_principal) self.__common_post_setup() @@ -432,8 +432,17 @@ def get_anonymous_principal_name(self): def add_anonymous_principal(self): # Create the special anonymous principal princ_realm = self.get_anonymous_principal_name() - installutils.kadmin_addprinc(princ_realm) - self._ldap_mod("anon-princ-aci.ldif", self.sub_dict) + dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix()) + try: + self.api.Backend.ldap2.get_entry(dn) + except errors.NotFound: + installutils.kadmin_addprinc(princ_realm) + self._ldap_mod("anon-princ-aci.ldif", self.sub_dict) + + try: + self.api.Backend.ldap2.set_entry_active(dn, True) + except errors.AlreadyActive: + pass def __convert_to_gssapi_replication(self): repl = replication.ReplicationManager(self.realm, From e82000f01f18ccab44bf9a3014c40ee784e5c8ce Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 22 Mar 2017 16:52:14 +0100 Subject: [PATCH 6/6] Remove duplicate functionality in upgrade Since krbinstance code can now handle all operations of the `enabled_anonymous_principal` function from upgrade we can remove extraneous function altogether. https://pagure.io/freeipa/issue/6799 --- ipaserver/install/server/upgrade.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0db764c..25b8629 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1482,20 +1482,6 @@ def add_default_caacl(ca): sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) -def enable_anonymous_principal(krb): - princ_realm = krb.get_anonymous_principal_name() - dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix()) - try: - _ = api.Backend.ldap2.get_entry(dn) # pylint: disable=unused-variable - except ipalib.errors.NotFound: - krb.add_anonymous_principal() - - try: - api.Backend.ldap2.set_entry_active(dn, True) - except ipalib.errors.AlreadyActive: - pass - - def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") @@ -1809,7 +1795,7 @@ def upgrade_configuration(): KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) - enable_anonymous_principal(krb) + krb.add_anonymous_principal() http.request_anon_keytab() setup_pkinit(krb)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code