Merge pull request freeipa#1206 from rjeffman/ipaserver_fix_deploy_EL8

ipaserver: Fix deployment after Bronze-bit fix
rjeffman · Feb 7, 2024 · 29f046b · 29f046b
2 parents 03c65bd + 2317c20
commit 29f046b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/roles/ipaserver/library/ipaserver_set_ds_password.py b/roles/ipaserver/library/ipaserver_set_ds_password.py
@@ -131,7 +131,8 @@
 from ansible.module_utils.ansible_ipa_server import (
     check_imports,
     MAX_DOMAIN_LEVEL, AnsibleModuleLog, options, sysrestore, paths,
-    api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging
+    api_Backend_ldap2, ds_init_info, redirect_stdout, setup_logging,
+    krbinstance, service
 )
 
 
@@ -221,6 +222,16 @@ def main():
     with redirect_stdout(ansible_log):
         ds.change_admin_password(options.admin_password)
 
+    # Force KDC to refresh the cached value of ipaKrbAuthzData by restarting.
+    # ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation,
+    # which is required to handle S4U2Proxy with the Bronze-Bit fix.
+    # Not doing so would cause API malfunction for around a minute, which is
+    # long enough to cause the hereafter client installation to fail.
+    krb = krbinstance.KrbInstance(fstore)
+    krb.set_output(ansible_log)
+    service.print_msg("Restarting the KDC")
+    krb.restart()
+
     # done ##########################################################
 
     ansible_module.exit_json(changed=True)