Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.
Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.
This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.
https://pagure.io/freeipa/issue/6867
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Make sure `cacert.pem` is exported in all installation code paths.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.
This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.
Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.
https://pagure.io/freeipa/issue/6370
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
During an upgrade, http.suffix is used to identify ldap entry when
configuring kdc proxy. When the suffix is missing, the script crashed
when enabling KDC proxy, because it used invalid DN.
Fixes https://pagure.io/freeipa/issue/6920
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
During upgrade keytab is moved to a new location using "move" operation.
This commit replaces move operation with "copy" and "remove" that
ensures a proper selinux context.
https://pagure.io/freeipa/issue/6924
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-server-install with external CA fails to issue pkinit certs.
This happens because the installer calls
krb = krbinstance.KrbInstance(fstore)
then
krb.enable_ssl()
and in this code path self.config_pkinit is set to None, leading to a wrong
code path.
The fix initializes the required fields of the krbinstance before calling
krb.enable_ssl.
https://pagure.io/freeipa/issue/6921
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.
https://pagure.io/freeipa/issue/6807
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.
Make sure all certmonger requests in the installer are done after the host
keytab is set up.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.
Consolidate the non-promotion and promotion code paths into one.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There was a redundant check for CA-less install certificate files
for replicas but the same check is done for all installers before
that.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.
https://pagure.io/freeipa/issue/6799
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.
https://pagure.io/freeipa/issue/6715
Reviewed-By: Martin Basti <mbasti@redhat.com>
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release, the old master denies this operations.
https://pagure.io/freeipa/issue/6549
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:
* CA is configured or PKCS#12 file is provided
* LDAP, KDC and Apache are configured and the master role is thus
completed and enabled
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:
* IPA has its own trust store, which is effectively bypassed when the
system trust module is enabled in the database. This may cause IPA
unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
trusted by httpd.
* On client install, the IPA trust configuration is copied to the system
trust store for third parties. When this configuration is removed, it may
cause loss of trust information in /etc/httpd/alias
(https://bugzilla.redhat.com/show_bug.cgi?id=1427897).
* When a CA certificate provided by the user in CA-less install conflicts
with a CA certificate in the system trust store, the latter may be used
by httpd, leading to broken https
(https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).
Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.
https://pagure.io/freeipa/issue/6132
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
