While investigating https://github.com/freeipa/freeipa-container/issues/252, I've found out that /etc/krb5.conf on container upgraded from older versions has
/etc/krb5.conf
pkinit_anchors = FILE:/etc/ipa/ca.crt
while fresh installation on Fedora 27 and Fedora 28 has
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
The /etc/krb5.conf does not get updated to match the fresh FreeIPA-on-Fedora 28.
The /etc/krb5.conf does gets updated to match the fresh FreeIPA-on-Fedora 28.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.7.2-1.1.fc28.x86_64 freeipa-client-4.7.2-1.1.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.21-1.fc28.x86_64 pki-ca-10.6.9-1.fc28.noarch krb5-server-1.16.1-25.fc28.x86_64
This was upgrade from Fedora 25.
Set of steps to fix the problem has been described at https://github.com/freeipa/freeipa-container/issues/252#issuecomment-515749623.
It'd be nice if people familiar with the FreeIPA internals could check them out to make sure they are not missing in FreeIPA's upgrade code.
AFAICT the CA path locations and config are missing in the krb5.conf upgrade code.
Also relevant: https://pagure.io/freeipa/issue/8025.
Login to comment on this ticket.