From 53c5c0ad7bde137b1123504f6a52c2b22e2a3868 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 28 Jun 2017 09:49:18 +0200 Subject: [PATCH] smart-card-advises: ensure that krb5-pkinit is installed on client This library is a prerequisite for successful Smart Card authentication on the client. The client-side advise should make sure this dependency is present. https://pagure.io/freeipa/issue/7036 Reviewed-By: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy --- ipaserver/advise/plugins/smart_card_auth.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 5134db535..fb328f29c 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -256,6 +256,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): self.check_ccache_not_empty() self.check_and_remove_pam_pkcs11() self.install_opensc_and_dconf_packages() + self.install_krb5_client_dependencies() self.start_enable_smartcard_daemon() self.add_pkcs11_module_to_systemwide_db() self.upload_smartcard_ca_certificates_to_systemwide_db() @@ -281,6 +282,12 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): ['Could not install OpenSC package'] ) + def install_krb5_client_dependencies(self): + self.log.exit_on_failed_command( + 'yum install -y krb5-pkinit-openssl', + ['Failed to install Kerberos client PKINIT extensions.'] + ) + def start_enable_smartcard_daemon(self): self.log.command( 'systemctl start {service} {socket} '