#8440 CA-less install does not set required permissions on KDC certificate
Closed: fixed 8 months ago by frenaud. Opened 8 months ago by frenaud.

Issue

When ipa server/replica is installed in CA-less mode with a KDC certificate, the KDC cert is installed in /var/kerberos/krb5kdc/kdc.crt but the permissions are left as 0600 and this breaks WebUI authentication

Steps to Reproduce

  1. install CA_less ipa server with ipa-server-install [...] --pkinit-cert-file /path/to/kdc.p12
  2. check the permissions on /var/kerberos/krb5kdc/kdc.crt
  3. install CA-less ipa replica with ipa-replica-install [...] --pkinit-cert-file /path/to/kdc.p12
  4. check the permissions on /var/kerberos/krb5kdc/kdc.crt

Actual behavior

The file has 600 root:root permissions. Connection to the WebGUI fails.

Expected behavior

The file should have 644 root:root permissions. Connection to the WebGUI should succeed.


Metadata Update from @frenaud:
- Issue assigned to frenaud

8 months ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1863616

8 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4974
- Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1863616)
- Issue set to the milestone: FreeIPA 4.8.9

8 months ago

master:

  • 9335bd9 CAless installation: set the perms on KDC cert file
  • a26e0ba ipatests: check KDC cert permissions in CA less install

ipa-4-6:

  • 9c9b9fd CAless installation: set the perms on KDC cert file
  • 87ba8c5 ipatests: check KDC cert permissions in CA less install

ipa-4-8:

  • 81c955e CAless installation: set the perms on KDC cert file
  • 295dd42 ipatests: check KDC cert permissions in CA less install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata