Reconfigure Kerberos library config as the last step of KDC install #564
Conversation
|
LGTM. |
During KDC installation, we overwrite the existing `/etc/krb5.conf` file from client version to use only local KDC for client requests. However, this means that services such as certmonger may try to kinit against local KDC before it is up and running, resulting in subtle but serious bugs. The file should be updated only when KDC is set up properly and running. https://pagure.io/freeipa/issue/6739
martbab
force-pushed
the
replica-krb5-install-fix
branch
from
c1f092c
to
eb8be8a
Compare
|
I do not think this is the correct fix/bug |
|
But the certs are requested by certmonger on replica which tries to kinit against the very same KDC that is being configured and is not running yet because it was told so by the Kerberos config that was updated before starting KDC. |
|
@simo5 KDC starts just fine with missing certs. It disables PKINIT if certs aren't reachable. However, if KDC is not running at all, certmonger cannot complete the cert request at all. |
|
Ah right this won't work because on master there would be no library configuration for KDC deployment (realm, etc) that's why server install in travis crashed. Closing this PR as #567 superseds it. |
During KDC installation, we overwrite the existing
/etc/krb5.conffilefrom client version to use only local KDC for client requests. However,
this means that services such as certmonger may try to kinit against
local KDC before it is up and running, resulting in subtle but serious
bugs.
The file should be updated only when KDC is set up properly and running.
https://pagure.io/freeipa/issue/6739