d0ca280108
- Resolves: RHEL-37285 IPA Web UI not showing replication agreement for non-admin users - Resolves: RHEL-42703 PSKC.xml issues with ipa_otptoken_import.py - Resolves: RHEL-41194 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed - Resolves: RHEL-39477 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica - Resolves: RHEL-46559 Include latest fixes in python3-ipatests packages - Resolves: RHEL-22188 [RFE] Allow IPA SIDgen task to continue if it finds an entity that SID can't be assigned to Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
From c8e3fdeb0015f9c52c64816d6cd39279c5d3ad5a Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Thu, 20 Jun 2024 08:36:04 +0200
|
|
Subject: [PATCH] PKINIT certificate: fix renewal on hidden replica
|
|
|
|
The renewal of PKINIT cert on hidden replica is failing because
|
|
of a test ensuring that the KDC service is either enabled or
|
|
configured. The test needs to be extended and allow hidden, too.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9611
|
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/plugins/cert.py | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
index df415c375189a54ceb0a00670f9c15e2f154a94e..6249c6d6f24acdca4fc3e9dd989f58344192b567 100644
|
|
--- a/ipaserver/plugins/cert.py
|
|
+++ b/ipaserver/plugins/cert.py
|
|
@@ -55,7 +55,7 @@ from ipapython.dn import DN
|
|
from ipapython.ipautil import datetime_from_utctimestamp
|
|
from ipaserver.plugins.service import normalize_principal, validate_realm
|
|
from ipaserver.masters import (
|
|
- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled
|
|
+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled
|
|
)
|
|
|
|
try:
|
|
@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id):
|
|
def ca_kdc_check(api_instance, hostname):
|
|
master_dn = api_instance.Object.server.get_dn(unicode(hostname))
|
|
kdc_dn = DN(('cn', 'KDC'), master_dn)
|
|
- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE}
|
|
+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE}
|
|
try:
|
|
kdc_entry = api_instance.Backend.ldap2.get_entry(
|
|
kdc_dn, ['ipaConfigString'])
|
|
--
|
|
2.45.2
|
|
|