From c2d95d3962d525017732618e66b39b099235d43e Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mar 30 2017 11:09:42 +0000
Subject: Upgrade: configure PKINIT after adding anonymous principal


In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.

https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
                         CACERT_PEM=paths.CACERT_PEM)
-    setup_pkinit(krb)
     enable_anonymous_principal(krb)
     http.request_anon_keytab()
+    setup_pkinit(krb)
 
     if not ds_running:
         ds.stop(ds_serverid)