1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-22 16:25:17 +00:00

Better system keytab checking for client

This commit is contained in:
Lauri Võsandi 2017-04-14 01:49:32 +03:00
parent c5a0b34b0a
commit 216af460cf
2 changed files with 5 additions and 2 deletions

View File

@ -138,7 +138,9 @@ def certidude_request(fork, renew):
endpoint_revocations_path = "/var/lib/certidude/%s/ca_crl.pem" % authority
# TODO: Create directories automatically
system_keytab_required = False
if clients.get(authority, "trigger") == "domain joined":
system_keytab_required = True
if not os.path.exists("/etc/krb5.keytab"):
continue
elif clients.get(authority, "trigger") != "interface up":
@ -173,6 +175,7 @@ def certidude_request(fork, renew):
try:
certidude_request_certificate(
authority,
system_keytab_required,
endpoint_key_path,
endpoint_request_path,
endpoint_certificate_path,

View File

@ -26,7 +26,7 @@ def selinux_fixup(path):
cmd = "chcon", "--type=home_cert_t", path
subprocess.call(cmd)
def certidude_request_certificate(server, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False):
def certidude_request_certificate(server, system_keytab_required, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False):
"""
Exchange CSR for certificate using Certidude HTTP API server
"""
@ -189,7 +189,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
return
# If machine is joined to domain attempt to present machine credentials for authentication
if os.path.exists("/etc/krb5.keytab"):
if system_keytab_required:
os.environ["KRB5CCNAME"]="/tmp/ca.ticket"
# If Samba configuration exists assume NetBIOS name was used in keytab
if os.path.exists("/etc/samba/smb.conf"):