Issue #8440: CA-less install does not set required permissions on KDC certificate - freeipa

freeipa

#8440 CA-less install does not set required permissions on KDC certificate

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

Issue

When ipa server/replica is installed in CA-less mode with a KDC certificate, the KDC cert is installed in /var/kerberos/krb5kdc/kdc.crt but the permissions are left as 0600 and this breaks WebUI authentication

Steps to Reproduce

install CA_less ipa server with ipa-server-install [...] --pkinit-cert-file /path/to/kdc.p12
check the permissions on /var/kerberos/krb5kdc/kdc.crt
install CA-less ipa replica with ipa-replica-install [...] --pkinit-cert-file /path/to/kdc.p12
check the permissions on /var/kerberos/krb5kdc/kdc.crt

Actual behavior

The file has 600 root:root permissions. Connection to the WebGUI fails.

Expected behavior

The file should have 644 root:root permissions. Connection to the WebGUI should succeed.

Metadata Update from @frenaud:
- Issue assigned to frenaud

3 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1863616

3 years ago

frenaud commented 3 years ago

Issue linked to Bugzilla: Bug 1863616

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4974
- Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1863616)
- Issue set to the milestone: FreeIPA 4.8.9

3 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1863616, https://bugzilla.redhat.com/show_bug.cgi?id=1863619

3 years ago

frenaud commented 3 years ago

Issue linked to Bugzilla: Bug 1863619

rcritten commented 3 years ago

master:

9335bd9 CAless installation: set the perms on KDC cert file
a26e0ba ipatests: check KDC cert permissions in CA less install

frenaud commented 3 years ago

ipa-4-6:

9c9b9fd CAless installation: set the perms on KDC cert file
87ba8c5 ipatests: check KDC cert permissions in CA less install

frenaud commented 3 years ago

ipa-4-8:

81c955e CAless installation: set the perms on KDC cert file
295dd42 ipatests: check KDC cert permissions in CA less install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

frenaud

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.8.9

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/4974

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1863616, https://bugzilla.redhat.com/show_bug.cgi?id=1863619

tester

None

changelog

None

design

None

freeipa

Source Code

#8440 CA-less install does not set required permissions on KDC certificate Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Metadata

#8440 CA-less install does not set required permissions on KDC certificate

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.