Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1449522 - Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Scott Poore
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-10 04:31 EDT by Petr Vobornik
Modified: 2017-08-01 05:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:50:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-05-10 04:31:00 EDT 
Cloned from upstream: https://pagure.io/freeipa/issue/6936

Since FreeIPA 4.5 framework relies on some form of anonymous PKINIT to obtain FAST armor tickets during password auth requests, some form of PKINIT is always configured during install/upgrade.

Thus it does not make sense to maintain pkinit-anonymous subcommand. We should mark it as deprecated and make it a no-op, since locking anonymous principal can completely break password-based auth on the masters (e.g. WebUI logins).
Comment 2 Petr Vobornik 2017-05-10 04:31:14 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/6936
Comment 3 Martin Babinsky 2017-05-23 12:09:08 EDT 
master:

* 24099d0f806103d8ec57d69fc97e9b4ae061bfdd Remove pkinit-anonymous command

Waiting for rebase to land in ipa-4-5 branch
Comment 4 Martin Babinsky 2017-05-24 12:09:53 EDT 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/4e878c3dc6f72cae4e7b4cb2ef45f2f4e91ac287
Comment 6 Scott Poore 2017-06-06 14:39:50 EDT 
Verified.

Version ::

ipa-server-4.5.0-14.el7.x86_64

Results ::

[root@vm1 ~]# ipa help pkinit-anonymous
ipa: ERROR: no command nor help topic 'pkinit_anonymous'

[root@vm1 ~]# ipa pkinit-anonymous
ipa: ERROR: unknown command 'pkinit-anonymous'

[root@vm1 ~]# ipa help pkinit|grep -i anon
[root@vm1 ~]#
Comment 7 errata-xmlrpc 2017-08-01 05:50:15 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.