client install: fix client PKINIT configuration

Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

ipaserver/install/cainstance.py

@@ -794,10 +794,13 @@ class CAInstance(DogtagInstance):
         certlist = x509.pkcs7_to_pems(data, x509.DER)
 
         # We have all the certificates in certlist, write them to a PEM file
-        with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
-            for cert in certlist:
-                ipaca_pem.write(cert)
-                ipaca_pem.write('\n')
+        for path in [paths.IPA_CA_CRT,
+                     paths.KDC_CA_BUNDLE_PEM,
+                     paths.CA_BUNDLE_PEM]:
+            with open(path, 'w') as ipaca_pem:
+                for cert in certlist:
+                    ipaca_pem.write(cert)
+                    ipaca_pem.write('\n')
 
     def __request_ra_certificate(self):
         # create a temp file storing the pwd

ipaserver/install/ipa_backup.py

@@ -150,6 +150,8 @@ class Backup(admintool.AdminTool):
         paths.SSHD_CONFIG,
         paths.SSH_CONFIG,
         paths.KRB5_CONF,
+        paths.KDC_CA_BUNDLE_PEM,
+        paths.CA_BUNDLE_PEM,
         paths.IPA_CA_CRT,
         paths.IPA_DEFAULT_CONF,
         paths.DS_KEYTAB,

ipaserver/install/krbinstance.py

@@ -261,7 +261,9 @@ class KrbInstance(service.Service):
                              KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                              KDC_CERT=paths.KDC_CERT,
                              KDC_KEY=paths.KDC_KEY,
-                             CACERT_PEM=paths.CACERT_PEM)
+                             CACERT_PEM=paths.CACERT_PEM,
+                             KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
 
         # IPA server/KDC is not a subdomain of default domain
         # Proper domain-realm mapping needs to be specified

ipaserver/install/server/install.py

@@ -796,6 +796,16 @@ def install(installer):
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
         os.chmod(paths.IPA_CA_CRT, 0o444)
 
+        if not options.no_pkinit:
+            x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
+        else:
+            with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
+                pass
+        os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
+
+        x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM)
+        os.chmod(paths.CA_BUNDLE_PEM, 0o444)
+
     # we now need to enable ssl on the ds
     ds.enable_ssl()
 

ipaserver/install/server/replicainstall.py

@@ -1390,6 +1390,10 @@ def install(installer):
 
         # Update and istall updated CA file
         cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.KDC_CA_BUNDLE_PEM)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.CA_BUNDLE_PEM)
 
         # Configure dirsrv
         ds = install_replica_ds(config, options, ca_enabled,

ipaserver/install/server/upgrade.py

@@ -1831,7 +1831,9 @@ def upgrade_configuration():
                         KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
-                        CACERT_PEM=paths.CACERT_PEM)
+                        CACERT_PEM=paths.CACERT_PEM,
+                        KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+                        CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
     krb.add_anonymous_principal()
     setup_pkinit(krb)