From 2ff9684f14c14bcdf4a520c5e00cfe4030868143 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Sep 06 2018 12:19:55 +0000 Subject: ipa-replica-install: fix pkinit setup commit 7284097 (Delay enabling services until end of installer) introduced a regression in replica installation. When the replica requests a cert for PKINIT, a check is done to ensure that the hostname corresponds to a machine with a KDC service enabled (ipaconfigstring attribute of cn=KDC,cn=,cn=masters,cn=ipa,cn=etc,$BASEDN must contain 'enabledService'). With the commit mentioned above, the service is set to enabled only at the end of the installation. The fix makes a less strict check, ensuring that 'enabledService' or 'configuredService' is in ipaconfigstring. Fixes: https://pagure.io/freeipa/issue/7566 Reviewed-By: Christian Heimes Reviewed-By: Christian Heimes --- diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3ff6c3f..67ab446 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -230,9 +230,11 @@ def ca_kdc_check(api_instance, hostname): ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']} - if 'enabledservice' not in ipaconfigstring: + if 'enabledservice' not in ipaconfigstring \ + and 'configuredservice' not in ipaconfigstring: raise errors.NotFound( - reason=_("enabledService not in ipaConfigString kdc entry")) + reason=_("enabledService/configuredService not in " + "ipaConfigString kdc entry")) except errors.NotFound: raise errors.ACIError(