freeipa

Clone
Source Code
GIT

#8531 RFE: Use host keytab to obtain ticket for ipa-certupdate
Closed: fixed 3 years ago by rcritten. Opened 3 years ago by rcritten.

Closed: fixed
Reopen Issue

Request for enhancement

As an administrator I don't want to have to manually obtain a TGT in order to execute ipa-certupdate when the CA chain is updated. This will allow for easier automation.

Steps to Reproduce

  1. # rm -rf ~/.cache/ipa/s*
  2. # ipa-certupdate

Actual behavior

did not receive Kerberos credentials
The ipa-certupdate command failed.

This happens if there is no schema downloaded from the IPA server in the user's cache. The api.finalize() happens before the kinit_keytab() call.

A better solution may be to drop the kinit_keytab() call and add this before api.finalize():

os.environ['KRB5_CLIENT_KTNAME'] = '/etc/krb5.keytab'

+1

Metadata Update from @pcech:
- Issue priority set to: important (was: normal)
3 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten
3 years ago

master:

  • d9b259d Use host keytab to obtain credentials needed for ipa-certupdate
  • d30939e ipatests: Test that ipa-certupdate can run without credentials

ipa-4-9:

  • 1a09ce9 Use host keytab to obtain credentials needed for ipa-certupdate
  • 4941d3d ipatests: Test that ipa-certupdate can run without credentials

ipa-4-8:

  • 1e541a6 Use host keytab to obtain credentials needed for ipa-certupdate
  • 449df02 ipatests: Test that ipa-certupdate can run without credentials

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.