From a1686a90c0cc8c16c89ef1bada7f507729bf3252 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mar 15 2017 15:39:39 +0000 Subject: Try out anonymous PKINIT after it is configured After PKINIT certificate is requested and everything is set up, we should attempt to perform anonymous PKINIT and fail hard if it does not work for some reason. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti Reviewed-By: Alexander Bokovoy --- diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 36d1588..d936cc5 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -410,6 +410,12 @@ class KrbInstance(service.Service): root_logger.critical("krb5kdc service failed to restart") raise + with ipautil.private_ccache() as anon_ccache: + try: + ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to configure anonymous PKINIT") + def enable_ssl(self): if self.config_pkinit: self.steps = []