client install: fix client PKINIT configuration

Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`. Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs known to IPA. Make sure both bundles are exported in all installation code paths. https://pagure.io/freeipa/issue/6831 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-05-03 06:48:57 +00:00
parent 01a7416d30
commit 11b8a34346
12 changed files with 60 additions and 8 deletions
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -796,6 +796,16 @@ def install(installer):
        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
        os.chmod(paths.IPA_CA_CRT, 0o444)

+        if not options.no_pkinit:
+            x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
+        else:
+            with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
+                pass
+        os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
+
+        x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM)
+        os.chmod(paths.CA_BUNDLE_PEM, 0o444)
+
    # we now need to enable ssl on the ds
    ds.enable_ssl()

--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1390,6 +1390,10 @@ def install(installer):

        # Update and istall updated CA file
        cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.KDC_CA_BUNDLE_PEM)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.CA_BUNDLE_PEM)

        # Configure dirsrv
        ds = install_replica_ds(config, options, ca_enabled,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1831,7 +1831,9 @@ def upgrade_configuration():
                        KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                        KDC_CERT=paths.KDC_CERT,
                        KDC_KEY=paths.KDC_KEY,
-                        CACERT_PEM=paths.CACERT_PEM)
+                        CACERT_PEM=paths.CACERT_PEM,
+                        KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+                        CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
    krb.add_anonymous_principal()
    setup_pkinit(krb)