From 8803938570dfb70586fa89d2d2d7aad4b0965305 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 21 Feb 2023 12:39:04 +0100
Subject: [PATCH] Don't block when kinit_pkinit() fails

Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.

`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.

Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/install/kinit.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 968605c05..cc839ec38 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -172,4 +172,6 @@ def kinit_pkinit(
 
     # this workaround enables us to capture stderr and put it
     # into the raised exception in case of unsuccessful authentication
-    run(args, env=env, raiseonerr=True, capture_error=True)
+    # Unsuccessful pkinit can lead to a password prompt. Send \n to skip
+    # prompt.
+    run(args, env=env, stdin="\n", raiseonerr=True, capture_error=True)