From 2183bb68cc36b77be3f2c78c00d791d95a17d6b0 Mon Sep 17 00:00:00 2001
From: Scott Poore <spoore@redhat.com>
Date: Thu, 5 Oct 2017 11:46:07 -0500
Subject: [PATCH] change pkinit_anchors to kdc-ca-bundle

In the client krb5.conf setup, a pkinit_anchors entry
was being added for pki-ca-bundle.  This should instead
be kdc-ca-bundle.

Signed-off-by: Scott Poore <spoore@redhat.com>
---
 roles/ipaclient/tasks/install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index fd6b55d6..48f85f19 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -172,7 +172,7 @@
       krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
       krb5_dns_canonicalize_hostname: "false"
       krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
-      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
+      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
     when: ipadiscovery.ipa_python_version > 40400
 
   - name: Install - IPA API calls for remaining enrollment parts
-- 
GitLab