From 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Apr 28 2017 08:38:12 +0000
Subject: Use local anchor when armoring password requests


https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

---

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 77ed7e1..1618724 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -944,7 +944,7 @@ class login_password(Backend, KerberosSession):
         self.debug('Obtaining armor in ccache %s', armor_path)
 
         try:
-            kinit_armor(armor_path)
+            kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM)
         except RuntimeError as e:
             self.error("Failed to obtain armor cache")
             # We try to continue w/o armor, 2FA will be impacted