100 lines
4.4 KiB
Diff
100 lines
4.4 KiB
Diff
From 5756ed2af940378c16d9d52e083b8c4005d41a13 Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Wed, 21 Jan 2026 17:19:18 +0100
|
|
Subject: [PATCH] ipa-advise: smart card client script does not need krb ticket
|
|
|
|
The script generated by ipa-advise config-client-for-smart-card-auth
|
|
currently requires a kerberos ticket because it calls ipa-certupdate.
|
|
|
|
Since IPA 4.9.0 and commit 1a09ce9, ipa-certupdate can be called
|
|
without a ticket. Update the script so that it detects if it gets
|
|
executed on a client recent enough to skip that requirement.
|
|
|
|
Update the test for config-client-for-smart-card-auth, do not
|
|
call kinit admin on the client.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9923
|
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/advise/plugins/smart_card_auth.py | 22 ++++++++++++++++++++-
|
|
ipatests/test_integration/test_advise.py | 10 +++++++---
|
|
2 files changed, 28 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
|
|
index b79797dcaee0c881d3ef752a268ed520d96b433b..a0e50e9806f7843d2981141d8941d5e37f53c0cd 100644
|
|
--- a/ipaserver/advise/plugins/smart_card_auth.py
|
|
+++ b/ipaserver/advise/plugins/smart_card_auth.py
|
|
@@ -34,6 +34,26 @@ class common_smart_card_auth_config(Advice):
|
|
'Use kinit as privileged user to obtain Kerberos credentials'
|
|
])
|
|
|
|
+ def check_ccache_not_empty_if_old_version(self):
|
|
+ self.log.comment("On version before IPA 4.9, "
|
|
+ "check that the credential cache is not empty")
|
|
+ self.log.command(
|
|
+ "python3 -c \"from ipapython.version import VERSION;"
|
|
+ "from ipaplatform.tasks import tasks;"
|
|
+ "exit(tasks.parse_ipa_version(VERSION) >= "
|
|
+ "tasks.parse_ipa_version('4.9.0'))\"")
|
|
+ with self.log.if_branch('[ "$?" -eq "0" ]'):
|
|
+ self.log.exit_on_failed_command(
|
|
+ 'klist',
|
|
+ [
|
|
+ "Credential cache is empty",
|
|
+ 'Use kinit as privileged user to obtain Kerberos '
|
|
+ 'credentials'
|
|
+ ])
|
|
+ with self.log.else_branch():
|
|
+ self.log.command(
|
|
+ "echo 'Version 4.9.0+ does not require Kerberos credentials'")
|
|
+
|
|
def check_and_set_ca_cert_paths(self):
|
|
ca_paths_variable = self.smart_card_ca_certs_variable_name
|
|
single_ca_path_variable = self.single_ca_cert_variable_name
|
|
@@ -260,7 +280,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
|
def get_info(self):
|
|
self.log.exit_on_nonroot_euid()
|
|
self.check_and_set_ca_cert_paths()
|
|
- self.check_ccache_not_empty()
|
|
+ self.check_ccache_not_empty_if_old_version()
|
|
self.check_and_remove_pam_pkcs11()
|
|
self.install_opensc_and_dconf_packages()
|
|
self.install_krb5_client_dependencies()
|
|
diff --git a/ipatests/test_integration/test_advise.py b/ipatests/test_integration/test_advise.py
|
|
index 3d5cadee319ebba14ebc43ebb1dc90a502e5d3b8..a336634ae9627133c5ad4dea4b1c43ffd726df10 100644
|
|
--- a/ipatests/test_integration/test_advise.py
|
|
+++ b/ipatests/test_integration/test_advise.py
|
|
@@ -60,13 +60,17 @@ class TestAdvice(IntegrationTest):
|
|
)
|
|
tasks.install_client(cls.master, cls.clients[0])
|
|
|
|
- def execute_advise(self, host, advice_id, *args):
|
|
+ def execute_advise(self, host, advice_id, *args, kinit=True):
|
|
# ipa-advise script is only available on a server
|
|
tasks.kinit_admin(self.master)
|
|
advice = self.master.run_command(['ipa-advise', advice_id])
|
|
# execute script on host (client or master)
|
|
if host is not self.master:
|
|
- tasks.kinit_admin(host)
|
|
+ if kinit:
|
|
+ tasks.kinit_admin(host)
|
|
+ else:
|
|
+ # Make sure we don't have any ticket
|
|
+ tasks.kdestroy_all(host)
|
|
filename = tasks.upload_temp_contents(host, advice.stdout_text)
|
|
cmd = ['sh', filename]
|
|
cmd.extend(args)
|
|
@@ -181,7 +185,7 @@ class TestAdvice(IntegrationTest):
|
|
ca_pem = ExternalCA().create_ca()
|
|
ca_file = tasks.upload_temp_contents(client, ca_pem)
|
|
try:
|
|
- self.execute_advise(client, advice_id, ca_file)
|
|
+ self.execute_advise(client, advice_id, ca_file, kinit=False)
|
|
finally:
|
|
client.run_command(['rm', '-f', ca_file])
|
|
|
|
--
|
|
2.52.0
|
|
|