Red Hat Bugzilla – Bug 1449523
Provide an API command to retrieve PKINIT status in the FreeIPA topology
Last modified: 2017-08-01 05:50:15 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6937 In mixed FreeIPA topologies (pre 4.5 and 4.5 masters) it may be useful to have a tool reporting masters which have PKINIT enabled. This could greatly simplify troubleshooting in cases when some of the clients attempt to request TGT via PKINIT and fail (maybe due to resolving a old KDC that does not understand PKINIT yet). Since PKINIT is an attribute of KDC shared by multiple masters, we may reuse the Server-Roles API (after slight modifications) to report PKINIT status based on pkinitEnabled value set on KDC entry's ipaConfigString. This can be reported in ipaconfig and we can also provide a dedicated `ipa pkinit-status` command to retrieve this info.
Upstream ticket: https://pagure.io/freeipa/issue/6937
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/c4aa3a17694b1ad8f9c60c98a95d217c01fc736c https://pagure.io/freeipa/c/753f8cf3aff07d22b35005b973e8518665d1fe6f https://pagure.io/freeipa/c/fbccb748a1c85b7ed67946ba7a11a960b839bcc9 https://pagure.io/freeipa/c/733cef9d5b0ae83127893ffff71689939902d257 https://pagure.io/freeipa/c/6b815aae7174693b4952f2c60e7201d99e7b9684 https://pagure.io/freeipa/c/4fa29a33765cb5d6ce86846f37766e5d3322f25f master: https://pagure.io/freeipa/c/bddb90f38a3505a2768862d2f814c5e749a7dcde https://pagure.io/freeipa/c/cac7e49daa04e838650548cc9162b8f117dc55b3 https://pagure.io/freeipa/c/d8bb23ac389929f28c584602e592b821e4c6ef9a https://pagure.io/freeipa/c/f80553208e8d9f3df422f5be8e1cafa511e1b2c4 https://pagure.io/freeipa/c/99352731b4b4bdcedfe6668ce71c1d67720ac4af https://pagure.io/freeipa/c/58fd229a1dbb3f00a591de9417f36197141e26d7
Verified. Version :: ipa-server-4.5.0-14.el7.x86_64 Results :: [root@vm1 ~]# ipa help pkinit Kerberos PKINIT feature status reporting tools. Report IPA masters on which Kerberos PKINIT is enabled or disabled EXAMPLES: List PKINIT status on all masters: ipa pkinit-status Check PKINIT status on `ipa.example.com`: ipa pkinit-status --server ipa.example.com List all IPA masters with disabled PKINIT: ipa pkinit-status --status='disabled' For more info about PKINIT support see: https://www.freeipa.org/page/V4/Kerberos_PKINIT Topic commands: pkinit-status Report PKINIT status on the IPA masters To get command help, use: ipa <command> --help ### ON IPA Master with no replicas: [root@vm1 ~]# ipa pkinit-status ---------------- 1 server matched ---------------- Server name: vm1.example.test PKINIT status: enabled ---------------------------- Number of entries returned 1 ---------------------------- ### ON IPA Master with replica installed with --no-pkinit [root@vm1 ~]# ipa pkinit-status ----------------- 2 servers matched ----------------- Server name: vm1.example.test PKINIT status: enabled Server name: vm2.example.test PKINIT status: disabled ---------------------------- Number of entries returned 2 ---------------------------- ### Various other filter/search options: [root@vm1 ~]# ipa pkinit-status --server vm1.example.test ---------------- 1 server matched ---------------- Server name: vm1.example.test PKINIT status: enabled ---------------------------- Number of entries returned 1 ---------------------------- [root@vm1 ~]# ipa pkinit-status --server vm2.example.test ---------------- 1 server matched ---------------- Server name: vm2.example.test PKINIT status: disabled ---------------------------- Number of entries returned 1 ---------------------------- [root@vm1 ~]# ipa pkinit-status --status='disabled' ---------------- 1 server matched ---------------- Server name: vm2.example.test PKINIT status: disabled ---------------------------- Number of entries returned 1 ---------------------------- [root@vm1 ~]# ipa pkinit-status --status='enabled' ---------------- 1 server matched ---------------- Server name: vm1.example.test PKINIT status: enabled ---------------------------- Number of entries returned 1 ---------------------------- [root@vm1 ~]# ipa pkinit-status --status='enabled' --raw ---------------- 1 server matched ---------------- server_server: vm1.example.test status: enabled ---------------------------- Number of entries returned 1 ---------------------------- ### ipa config-show: [root@vm1 ~]# ipa config-show|grep -i pkinit IPA master capable of PKINIT: vm1.example.test
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304