Improve the implementation of PKINIT certificate retrieval #584
Conversation
install/share/kdc.conf.template
Outdated
| @@ -12,6 +12,6 @@ | |||
| dict_file = $DICT_WORDS | |||
| default_principal_flags = +preauth | |||
| ; admin_keytab = $KRB5KDC_KADM5_KEYTAB | |||
| pkinit_identity = FILE:$KDC_CERT,$KDC_KEY | |||
| pkinit_anchors = FILE:$CACERT_PEM | |||
| $NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY | |||
There was a problem hiding this comment.
This is not really needed. krb5kdc will complain that pkinit_identity is not readable and PKINIT cannot be configured but the rest will continue working. We have pkinit_identity and pkinit_anchors in install/share/kdc.conf.template since 2010, they contained wrong values and missing certs, and KDC did work fine.
install/share/kdc.conf.template
Outdated
| pkinit_identity = FILE:$KDC_CERT,$KDC_KEY | ||
| pkinit_anchors = FILE:$CACERT_PEM | ||
| $NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY | ||
| $NOPK pkinit_anchors = FILE:$CACERT_PEM |
There was a problem hiding this comment.
Same here. Do not comment out this configuration option.
ipaserver/install/krbinstance.py
Outdated
| @@ -221,6 +220,7 @@ def __setup_sub_dict(self): | |||
| KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, | |||
| DICT_WORDS=paths.DICT_WORDS, | |||
| KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, | |||
| NOPK=';', | |||
There was a problem hiding this comment.
no need for the comment out.
ipaserver/install/krbinstance.py
Outdated
| @@ -393,6 +394,15 @@ def setup_pkinit(self): | |||
| # have any selinux issues with the file context | |||
| shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) | |||
|
|
|||
| # Now modify configuration to add pkinit anchors and restart KDC | |||
| self.sub_dict['NOPK'] = '' | |||
There was a problem hiding this comment.
no need to update kdc.conf here. Just do the restart.
| except Exception: | ||
| root_logger.critical("krb5kdc service failed to restart") | ||
| raise | ||
|
|
There was a problem hiding this comment.
I also think we should actually check that anonymous PKINIT works with new configuration -- since krb5kdc will start just fine with non-working PKINIT, you really need to try to 'kinit -n' to see if anonymous pkinit works.
There was a problem hiding this comment.
That sound like a really good idea that can prevent regressions like the one reported in the ticket to happen. I will add the anon pkinit check and fail with hard error if it does not work.
|
Since I applied this PR, I cannot pass through failing client side installation: |
|
@simo5 are you OK with @abbra's inline suggestions (it is your commit after all :))? |
The certmonger request handling code during pkinit setup actually never correctly handled situations when certificate request was rejected by the CA or CA was unreachable. This led to subtle errors caused by broken anonymous pkinit (e.g. failing WebUI logins) which are hard to debug. The code should behave as other service installers, e. g. use `request_and_wait_for_cert` method which raises hard error when request times out or is not granted by CA. On master contact Dogtag CA endpoint directly as is done in DS installation. https://pagure.io/freeipa/issue/6739
On the first master the framework may not be fully functional to server certificate requests. It is safer to configure helper that contacts Dogtag REST API directly. https://pagure.io/freeipa/issue/6739
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:
* CA is configured or PKCS#12 file is provided
* LDAP, KDC and Apache are configured and the master role is thus
completed and enabled
https://pagure.io/freeipa/issue/6739
Instead of only logging errors when timeout is reached or query for the entry fails for other reasons, `wait_for_entry` should raise exceptions so that we can handle them in caller or let them propagate and fail early. https://pagure.io/freeipa/issue/6739
This prevents replication-based race conditions to break PKINIT certificate requests on replica installation. https://pagure.io/freeipa/issue/6739
After PKINIT certificate is requested and everything is set up, we should attempt to perform anonymous PKINIT and fail hard if it does not work for some reason. https://pagure.io/freeipa/issue/6739
martbab
force-pushed
the
kdc-pkinit-fixes
branch
from
b129c93
to
6a86ff2
Compare
|
I have reworked the PR quite a bit and added/changed a few checks due to replication race conditions affecting PKINIT requests from replica to master. |
|
Works for me and code looks OK |
|
master:
|
The original PKINIT cert request code contained numerous defects, namely:
e.g. in an unusable WebUI after replica installation
and
installers (DS, HTTP for example): what caused hard errors in their case
went unnoticed in PKINIT setup
This PR consolidates this code so that errors arising from CA rejecting the
PKINIT cert request cause the installers to abort immediately. The PKINIT step
was also split into a separate method executed before LDAP updates. The name
was chosen to be
enable_sslin order to make the planned refactoring ofcertificate requesting code (https://pagure.io/freeipa/issue/6429) easier: the
method name is not accurate but at least it is consistent with e.g. LDAP
installer co the common code can be grepper with greater ease.
https://pagure.io/freeipa/issue/6739