Testing instructions included in the ticket.
---
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697

>From 9d91bba05b4279c3b975d34db87cf8fd68bc2228 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 2 May 2012 15:36:04 +0200
Subject: [PATCH] Make ipa 2.2 client capable of joining an older server

IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697
---
 ipa-client/ipa-install/ipa-client-install |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7133cce0457dd4f4a51530337db7e5e3fec829b3..16106a50c3124612f051cc9e9a37a1c1200377eb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1375,13 +1375,32 @@ def install(options, env, fstore, statestore):
     os.environ['KRB5CCNAME'] = CCACHE_FILE
     try:
         ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname])
-        api.Backend.xmlclient.connect()
     except CalledProcessError, e:
         print >>sys.stderr, "Failed to obtain host TGT."
         # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP,
         # abort installation and rollback changes
         return CLIENT_INSTALL_ERROR
 
+    # Now, we have a TGT, lets try to connect to the server's XML-RPC interface
+    try:
+        api.Backend.xmlclient.connect()
+    except errors.KerberosError, e:
+        root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e))
+        root_logger.debug('Trying with delegate=True')
+        try:
+            api.Backend.xmlclient.connect(delegate=True)
+
+            # The remote server is not capable of Kerberos S4U2Proxy delegation
+            # This features is implemented in IPA server version 2.2 and higher
+            print >>sys.stderr, "Server does not support Kerberos S4U2Proxy delegation"
+            print >>sys.stderr, "ipa command needs to use --delegate to connect to the server"
+        except errors.PublicError, e2:
+            print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2)
+            return CLIENT_INSTALL_ERROR
+    except errors.PublicError, e:
+        print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e)
+        return CLIENT_INSTALL_ERROR
+
     if not options.on_master:
         client_dns(cli_server, hostname, options.dns_updates)
         configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to