On 09/12/2012 04:29 PM, Simo Sorce wrote: > On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote: >> On 09/12/2012 02:58 PM, Jan Cholasta wrote: >>> Dne 12.9.2012 14:09, Petr Viktorin napsal(a): >>>> On 09/12/2012 01:20 PM, Petr Viktorin wrote: >>>>> On 09/11/2012 10:39 PM, Rob Crittenden wrote: >>>>>> Petr Viktorin wrote: >>>>>>> When installing the client, we need to take extra case to only contact >>>>>>> the one server we're installing against. Otherwise, in the real world, >>>>>>> we might hit a server that hasn't replicated info about the client yet. >>>>>>> >>>>>>> This patch fixes a bug where kinit attempted to contact a KDC that >>>>>>> didn't have the host principal yet. >>>>>>> >>>>>>> >>>>>>> To reproduce: >>>>>>> >>>>>>> - Install a "master" and "replica" >>>>>>> - Change the Kerberos DNS entries to only point to the replica: >>>>>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' >>>>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do >>>>>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88 >>>>>>> $REPLICA_HOSTNAME" >>>>>>> done >>>>>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389 >>>>>>> $MASTER_HOSTNAME" >>>>>>> ipa dnsrecord-find $DOMAIN # check >>>>>>> - Sever communication between the hosts to disable replication: >>>>>>> (on master) >>>>>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP >>>>>>> - On client machine, put master as nameserver in /etc/resolv.conf & >>>>>>> install client >>>>>>> >>>>>>> This will fail without the patch. >>>>>>> >>>>>>> >>>>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and >>>>>>> explain the bug. I learned a lot. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2982 >>>>>> >>>>>> ACK, pushed to master and ipa-3-0 >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> The patch broke server installs. Please revert it if you're having >>>>> trouble while I look into it. >>>>> >>>>> >>>> >>>> I messed up and removed the kinit call entirely when installing on >>>> master. Attaching a fix. >>>> >>> >>> Works for me, ACK. >>> >>> Honza >>> >> >> When the server installation is complete, I was surprised to see I have now >> host credentials in my CCACHE: >> >> # ipa-server-install --setup-dns >> ... >> ============================================================================== >> Setup complete >> >> Next steps: >> 1. You must make sure these network ports are open: >> TCP Ports: >> * 80, 443: HTTP/HTTPS >> * 389, 636: LDAP/LDAPS >> * 88, 464: kerberos >> * 53: bind >> UDP Ports: >> * 88, 464: kerberos >> * 53: bind >> * 123: ntp >> >> 2. You can now obtain a kerberos ticket using the command: 'kinit admin' >> This ticket will allow you to use the IPA tools (e.g., ipa user-add) >> and the web user interface. >> >> Be sure to back up the CA certificate stored in /root/cacert.p12 >> This file is required to create replicas. The password for this >> file is the Directory Manager password >> >> # klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: host/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com >> >> Valid starting Expires Service principal >> 09/12/12 09:28:24 09/13/12 09:28:24 >> krbtgt/idm.lab.bos.redhat....@idm.lab.bos.redhat.com >> 09/12/12 09:28:24 09/13/12 09:28:24 >> HTTP/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com >> 09/12/12 09:28:26 09/13/12 09:28:24 >> DNS/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com >> >> >> I don't think this is an expected behavior, installer should use a CCACHE >> separate from user's default. > > Definitely, > a private install ccache should be used. > Please open a ticket. > > Simo. >
This is caused by a patch pushed today (in a scope of a fix for ticket 2982). Petr Viktorin is working on a fix which will be sent soon, so I think that ticket is not necessary in this case. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel