URL: https://github.com/freeipa/freeipa/pull/564 Author: martbab Title: #564: Reconfigure Kerberos library config as the last step of KDC install Action: opened
PR body: """ During KDC installation, we overwrite the existing `/etc/krb5.conf` file from client version to use only local KDC for client requests. However, this means that services such as certmonger may try to kinit against local KDC before it is up and running, resulting in subtle but serious bugs. The file should be updated only when KDC is set up properly and running. https://pagure.io/freeipa/issue/6739 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/564/head:pr564 git checkout pr564
From c1f092c071167791fba52fe7a0c9f00e86f3a670 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 9 Mar 2017 18:15:21 +0100 Subject: [PATCH] Reconfigure Kerberos library config as the last step of KDC install During KDC installation, we overwrite the existing `/etc/krb5.conf` file from client version to use only local KDC for client requests. However, this means that services such as certmonger may try to kinit against local KDC before it is up and running, resulting in subtle but serious bugs. The file should be updated only when KDC is set up properly and running. https://pagure.io/freeipa/issue/6739 --- ipaserver/install/krbinstance.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803ca..1a0b2c6 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -141,6 +141,8 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): def __common_post_setup(self): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) + self.step("configuring Kerberos library to use local KDC", + self.__configure_krb5_conf) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password @@ -287,7 +289,6 @@ def __init_ipa_kdb(self): def __configure_instance(self): self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) - self.__template_file(paths.KRB5_CONF) self.__template_file(paths.HTML_KRB5_INI) self.__template_file(paths.KRB_CON) self.__template_file(paths.HTML_KRBREALM_CON) @@ -314,6 +315,9 @@ def __configure_instance(self): appendvars=appendvars) tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR) + def __configure_krb5_conf(self): + self.__template_file(paths.KRB5_CONF) + #add the password extop module def __add_pwd_extop_module(self): self._ldap_mod("pwd-extop-conf.ldif", self.sub_dict)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code