#9333 ipa-client-install --pkinit-identity can block in unattended mode
Closed: fixed a year ago by frenaud. Opened a year ago by cheimes.

Issue

IPA client installation with PKINIT ipa-client-install --pkinit-identity ... can block if PKINIT authentication fails. The issue can occur when the KDC refuses the certs or the CA trust chain is incomplete. On authentication error kinit asks the user to supply a password instead. This blocks ipa-client-install even in unattended installation module.

Steps to Reproduce

  1. Run ipa-client-install --pkinit-identity with incomplete pkinit anchors
  2. Check /var/log/ipaclient-install.log
    3.

Actual behavior

The client installer blocks in kinit_pkinit() call. The last line in the installer is ['/usr/bin/kinit', ...].

Expected behavior

The installer should fail immediately.

Version/Release/Distribution

All Fedora and RHEL versions with 4.9.11+ and 4.10.1+ are affected

  • ipa-client-4.9.11-3.module+el8.8.0+17609+6cfecbae.x86_6
  • ipa-client-4.10.1-3.el9.x86_64

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6707

a year ago

master:

  • 074c2f5 Don't block when kinit_pkinit() fails

ipa-4-9:

  • 03f544e Don't block when kinit_pkinit() fails

ipa-4-10:

  • 8803938 Don't block when kinit_pkinit() fails

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata