Skip to content

Commit

Permalink
ipaserver: Fix deployment after Bronze-bit fix
Browse files Browse the repository at this point in the history
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger
PAC generation, there's a timing issue that causes API malfunction which
is long enough to cause the client part insallation to fail.

By restarting KDC after DS password is set, we force cached values to be
refreshed, allowing the API to work correctly.

Resolves: freeipa#1200
  • Loading branch information
rjeffman committed Feb 7, 2024
1 parent 4321478 commit 2317c20
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion roles/ipaserver/library/ipaserver_set_ds_password.py
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@
from ansible.module_utils.ansible_ipa_server import (
check_imports,
MAX_DOMAIN_LEVEL, AnsibleModuleLog, options, sysrestore, paths,
api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging
api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging,
krbinstance, service
)


Expand Down Expand Up @@ -221,6 +222,16 @@ def main():
with redirect_stdout(ansible_log):
ds.change_admin_password(options.admin_password)

# Force KDC to refresh the cached value of ipaKrbAuthzData by restarting.
# ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation,
# which is required to handle S4U2Proxy with the Bronze-Bit fix.
# Not doing so would cause API malfunction for around a minute, which is
# long enough to cause the hereafter client installation to fail.
krb = krbinstance.KrbInstance(fstore)
krb.set_output(ansible_log)
service.print_msg("Restarting the KDC")
krb.restart()

# done ##########################################################

ansible_module.exit_json(changed=True)
Expand Down

0 comments on commit 2317c20

Please sign in to comment.