[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/631
Author: martbab
 Title: #631: Upgrade: configure PKINIT after adding anonymous principal
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/631/head:pr631
git checkout pr631

From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous
 principal

In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/server/upgrade.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
                         CACERT_PEM=paths.CACERT_PEM)
-    setup_pkinit(krb)
     enable_anonymous_principal(krb)
     http.request_anon_keytab()
+    setup_pkinit(krb)
 
     if not ds_running:
         ds.stop(ds_serverid)

From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT
 handling

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/krbinstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
         with ipautil.private_ccache() as anon_ccache:
             try:
                 ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-            except ipautil.CalledProcessError as e:
+            except ipautil.CalledProcessError:
                 raise RuntimeError("Failed to configure anonymous PKINIT")
 
     def enable_ssl(self):

From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/4] Split out anonymous PKINIT test to a separate method

This allows for more flexibility in the whole PKINIT setup process.

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/krbinstance.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
             root_logger.critical("krb5kdc service failed to restart")
             raise
 
+    def test_anonymous_pkinit(self):
         with ipautil.private_ccache() as anon_ccache:
             try:
                 ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
             self.steps = []
             self.step("installing X509 Certificate for PKINIT",
                       self.setup_pkinit)
+            self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
 
             self.start_creation()
 

From a2ecdb818ef9e3f8dc2bb97688c894c900009ca9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade

https://pagure.io/freeipa/issue/6792
---
 ipaserver/install/server/upgrade.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
 def setup_pkinit(krb):
     root_logger.info("[Setup PKINIT]")
 
-    if os.path.exists(paths.KDC_CERT):
-        root_logger.info("PKINIT already set up")
-        return
-
     if not api.Command.ca_is_enabled()['result']:
         root_logger.info("CA is not enabled")
         return
 
-    krb.setup_pkinit()
+    if not os.path.exists(paths.KDC_CERT):
+        root_logger.info("Requesting PKINIT certificate")
+        krb.setup_pkinit()
+
     replacevars = dict()
     replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
         paths.KDC_CERT,paths.KDC_KEY)
@@ -1519,6 +1518,7 @@ def setup_pkinit(krb):
     if krb.is_running():
         krb.stop()
     krb.start()
+    krb.test_anonymous_pkinit()
 
 
 def disable_httpd_system_trust(http):

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code