IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
f769045f0ae9c5fdc651e03c0c96af9cdec8f298
freeipa/install/restart_scripts/renew_kdc_cert
Jan Cholasta f769045f0a server install: fix KDC PKINIT configuration 
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00

32 lines
750 B
Python
Executable File
Raw Blame History

#!/usr/bin/python2 -E
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
import os
import syslog
import traceback
from ipaplatform import services
from ipaplatform.paths import paths
from ipaserver.install import certs
def main():
with certs.renewal_lock:
os.chmod(paths.KDC_CERT, 0o644)
try:
if services.knownservices.krb5kdc.is_running():
syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc')
services.knownservices.krb5kdc.restart()
except Exception as e:
syslog.syslog(
syslog.LOG_ERR, "cannot restart krb5kdc: {}".format(e))
try:
main()
except Exception:
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
Reference in New Issue View Git Blame Copy Permalink