install: do not assume /etc/krb5.conf.d exists

Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if /etc/krb5.conf.d exists. Do not rely on /etc/krb5.conf.d to enable the certauth plugin. This fixes install on platforms which do not have /etc/krb5.conf.d. https://pagure.io/freeipa/issue/6589 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-03-20 06:56:53 +00:00
parent d308abac2e
commit d5fc0ddd87
8 changed files with 56 additions and 21 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -249,6 +249,11 @@ class KrbInstance(service.Service):
            root_logger.critical("krb5kdc service failed to start")

    def __setup_sub_dict(self):
+        if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+            includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
+        else:
+            includes = ''
+
        self.sub_dict = dict(FQDN=self.fqdn,
                             IP=self.ip,
                             PASSWORD=self.kdc_password,
@@ -264,7 +269,8 @@ class KrbInstance(service.Service):
                             KDC_KEY=paths.KDC_KEY,
                             CACERT_PEM=paths.CACERT_PEM,
                             KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
-                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
+                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
+                             INCLUDES=includes)

        # IPA server/KDC is not a subdomain of default domain
        # Proper domain-realm mapping needs to be specified
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1553,6 +1553,38 @@ def setup_pkinit(krb):
        aug.close()


+def enable_certauth(krb):
+    root_logger.info("[Enable certauth]")
+
+    aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
+                 loadpath=paths.USR_SHARE_IPA_DIR)
+    try:
+        aug.transform('IPAKrb5', paths.KRB5_CONF)
+        aug.load()
+
+        path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
+        modified = False
+
+        if not aug.match(path):
+            aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
+            aug.set('{}/enable_only'.format(path), 'ipakdb')
+            modified = True
+
+        if modified:
+            try:
+                aug.save()
+            except IOError:
+                for error_path in aug.match('/augeas//error'):
+                    root_logger.error('augeas: %s', aug.get(error_path))
+                raise
+
+            if krb.is_running():
+                krb.stop()
+            krb.start()
+    finally:
+        aug.close()
+
+
 def disable_httpd_system_trust(http):
    ca_certs = []

@@ -1846,6 +1878,7 @@ def upgrade_configuration():
                        CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
    krb.add_anonymous_principal()
    setup_pkinit(krb)
+    enable_certauth(krb)

    if not ds_running:
        ds.stop(ds_serverid)