Don't block when kinit_pkinit() fails

Installation of ipa-client with PKINIT authentication can block when there is a problem with PKINIT, e.g. KDC does not accept the cert or the anchor chain is incomplete. `kinit` falls back to password authentication and asks the user to enter a password. `kinit` does not have an option to force non-interactive mode. Sending `\n` to stdin seems to be the only solution here. Fixes: https://pagure.io/freeipa/issue/9333 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-02-21 12:39:04 +01:00
parent 0a8a392248
commit 8803938570
1 changed files with 3 additions and 1 deletions
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -172,4 +172,6 @@ def kinit_pkinit(

    # this workaround enables us to capture stderr and put it
    # into the raised exception in case of unsuccessful authentication
-    run(args, env=env, raiseonerr=True, capture_error=True)
+    # Unsuccessful pkinit can lead to a password prompt. Send \n to skip
+    # prompt.
+    run(args, env=env, stdin="\n", raiseonerr=True, capture_error=True)