#7875 The /etc/krb5.conf does not get upgraded
Opened 5 years ago by adelton. Modified 4 years ago

Issue

While investigating https://github.com/freeipa/freeipa-container/issues/252, I've found out that /etc/krb5.conf on container upgraded from older versions has

pkinit_anchors = FILE:/etc/ipa/ca.crt

while fresh installation on Fedora 27 and Fedora 28 has

pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

Steps to Reproduce

  1. Have FreeIPA installed on Fedora 25 (or maybe Fedora 26 will be enough).
  2. Yes, I know that it's been long EOL. What we try to do is verify if upgrades from old versions work.
  3. Upgrade that installation to Fedora 28.

Actual behavior

The /etc/krb5.conf does not get updated to match the fresh FreeIPA-on-Fedora 28.

Expected behavior

The /etc/krb5.conf does gets updated to match the fresh FreeIPA-on-Fedora 28.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.7.2-1.1.fc28.x86_64
freeipa-client-4.7.2-1.1.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.21-1.fc28.x86_64
pki-ca-10.6.9-1.fc28.noarch
krb5-server-1.16.1-25.fc28.x86_64

Additional info:

This was upgrade from Fedora 25.


Set of steps to fix the problem has been described at https://github.com/freeipa/freeipa-container/issues/252#issuecomment-515749623.

It'd be nice if people familiar with the FreeIPA internals could check them out to make sure they are not missing in FreeIPA's upgrade code.

AFAICT the CA path locations and config are missing in the krb5.conf upgrade code.

Login to comment on this ticket.

Metadata