diff --git a/certidude/cli.py b/certidude/cli.py index 857f9ce..6534deb 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -138,7 +138,9 @@ def certidude_request(fork, renew): endpoint_revocations_path = "/var/lib/certidude/%s/ca_crl.pem" % authority # TODO: Create directories automatically + system_keytab_required = False if clients.get(authority, "trigger") == "domain joined": + system_keytab_required = True if not os.path.exists("/etc/krb5.keytab"): continue elif clients.get(authority, "trigger") != "interface up": @@ -173,6 +175,7 @@ def certidude_request(fork, renew): try: certidude_request_certificate( authority, + system_keytab_required, endpoint_key_path, endpoint_request_path, endpoint_certificate_path, diff --git a/certidude/helpers.py b/certidude/helpers.py index bcaa15a..f19cee2 100644 --- a/certidude/helpers.py +++ b/certidude/helpers.py @@ -26,7 +26,7 @@ def selinux_fixup(path): cmd = "chcon", "--type=home_cert_t", path subprocess.call(cmd) -def certidude_request_certificate(server, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False): +def certidude_request_certificate(server, system_keytab_required, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False): """ Exchange CSR for certificate using Certidude HTTP API server """ @@ -189,7 +189,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa return # If machine is joined to domain attempt to present machine credentials for authentication - if os.path.exists("/etc/krb5.keytab"): + if system_keytab_required: os.environ["KRB5CCNAME"]="/tmp/ca.ticket" # If Samba configuration exists assume NetBIOS name was used in keytab if os.path.exists("/etc/samba/smb.conf"):