From 0030118ddc81af2df215a31b3863e0f560332130 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaalton@debian.org>
Date: Mon, 21 May 2018 13:24:03 +0300
Subject: [PATCH] Create kadm5.acl if it doesn't exist

kadmind doesn't start without it, and Debian doesn't ship it by default.

Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/krbinstance.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c32f8c087..df6344998 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -299,6 +299,11 @@ class KrbInstance(service.Service):
             logger.debug("Persistent keyring CCACHE is not enabled")
             self.sub_dict['OTHER_LIBDEFAULTS'] = ''
 
+        # Create kadm5.acl if it doesn't exist
+        if not os.path.exists(paths.KRB5KDC_KADM5_ACL):
+            open(paths.KRB5KDC_KADM5_ACL, 'a').close()
+            os.chmod(paths.KRB5KDC_KADM5_ACL, 0o600)
+
     def __add_krb_container(self):
         self._ldap_mod("kerberos.ldif", self.sub_dict)