#8531 RFE: Use host keytab to obtain ticket for ipa-certupdate
Closed: fixed 2 years ago by rcritten. Opened 2 years ago by rcritten.

Request for enhancement

As an administrator I don't want to have to manually obtain a TGT in order to execute ipa-certupdate when the CA chain is updated. This will allow for easier automation.

Steps to Reproduce

  1. # rm -rf ~/.cache/ipa/s*
  2. # ipa-certupdate

Actual behavior

did not receive Kerberos credentials
The ipa-certupdate command failed.

This happens if there is no schema downloaded from the IPA server in the user's cache. The api.finalize() happens before the kinit_keytab() call.

A better solution may be to drop the kinit_keytab() call and add this before api.finalize():

os.environ['KRB5_CLIENT_KTNAME'] = '/etc/krb5.keytab'

Metadata Update from @pcech:
- Issue priority set to: important (was: normal)

2 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

2 years ago

master:

  • d9b259d Use host keytab to obtain credentials needed for ipa-certupdate
  • d30939e ipatests: Test that ipa-certupdate can run without credentials

ipa-4-9:

  • 1a09ce9 Use host keytab to obtain credentials needed for ipa-certupdate
  • 4941d3d ipatests: Test that ipa-certupdate can run without credentials

ipa-4-8:

  • 1e541a6 Use host keytab to obtain credentials needed for ipa-certupdate
  • 449df02 ipatests: Test that ipa-certupdate can run without credentials

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata