related to ticket https://fedorahosted.org/freeipa/ticket/4808

Patch attached.

Martin^3
From 5988842868303d6a9feffeb2ec5ce873b42876e0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 9 Jan 2015 17:38:39 +0100
Subject: [PATCH] ipa-client-install: added new option '--tgt-kinit-attempts':

The option enables the host to make multiple attempts to obtain TGT from KDC
before giving up and aborting client installation.

https://fedorahosted.org/freeipa/ticket/4808

---
 ipa-client/ipa-install/ipa-client-install | 41 +++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..b0070883edaa7c94fb31265bcce90a8a851d226f 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -144,6 +144,10 @@ def parse_options():
                       help="do not modify the nsswitch.conf and PAM configuration")
     basic_group.add_option("-f", "--force", dest="force", action="store_true",
                       default=False, help="force setting of LDAP/Kerberos conf")
+    basic_group.add_option('--tgt-kinit-attempts', dest='tgt_kinit_attempts', action='store',
+                           type='int', default=4,
+                           help="number of attempts to obtain host TGT \
+                           if the first one fails (defaults to %default).")
     basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     basic_group.add_option("-U", "--unattended", dest="unattended",
@@ -1089,6 +1093,27 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 
     return 0
 
+def get_host_tgt(options, keytab, host, realm, env):
+    n_attempts = 0
+    root_logger.info("Attempting to get host TGT...")
+
+    while n_attempts <= options.tgt_kinit_attempts:
+        n_attempts += 1
+        (stderr, stdout, returncode) = run(
+                            [paths.KINIT,'-k', '-t', keytab,
+                            'host/%s@%s' % (host, realm)],
+                            env=env,
+                            raiseonerr=False)
+
+        if returncode == 0:
+            root_logger.info("Attempt %d succeeded." % n_attempts)
+            break
+
+        root_logger.warning("Attempt %d failed." %n_attempts)
+        time.sleep(1)
+
+    return (stderr, stdout, returncode)
+
 def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
                          ca_enabled):
     if not options.request_cert:
@@ -2421,12 +2446,8 @@ def install(options, env, fstore, statestore):
             elif options.keytab:
                 join_args.append("-f")
                 if os.path.exists(options.keytab):
-                    (stderr, stdout, returncode) = run(
-                        [paths.KINIT,'-k', '-t', options.keytab,
-                            'host/%s@%s' % (hostname, cli_realm)],
-                        env=env,
-                        raiseonerr=False)
-
+                    (stderr, stdout, returncode) = get_host_tgt(options, options.keytab,
+                                                                hostname, cli_realm, env)
                     if returncode != 0:
                         print_port_conf_info()
                         root_logger.error("Kerberos authentication failed "
@@ -2502,10 +2523,10 @@ def install(options, env, fstore, statestore):
             # Other KDCs might not have replicated the principal yet.
             # Once we have the TGT, it's usable on any server.
             env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
-            try:
-                run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB,
-                        'host/%s@%s' % (hostname, cli_realm)], env=env)
-            except CalledProcessError, e:
+
+            (stderr, stdout, returncode) = get_host_tgt(options, paths.KRB5_KEYTAB,
+                                                        hostname, cli_realm, env)
+            if returncode != 0:
                 root_logger.error("Failed to obtain host TGT.")
                 # failure to get ticket makes it impossible to login and bind
                 # from sssd to LDAP, abort installation and rollback changes
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to