On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:
On 2.12.2015 16:23, Jan Cholasta wrote:
Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with <https://fedorahosted.org/freeipa/ticket/5401>.

Patches are on the list:
<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.


Pushed.



b) Admin password is required for connection check. This will be fixed
with <https://fedorahosted.org/freeipa/ticket/5497>.

Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.




1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)

The same thing happens without my patch. Could you file a ticket?


2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
--skip-conncheck

....
     step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in <lambda>
     step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
     for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1507, in main
     promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 374, in decorated
     func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1002, in promote_check
     conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
     conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
     principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
     raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No Kerberos
credentials available

Fixed.



3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information

This is the same as 2).


4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information

The same thing happens without my patch for any other error. Could you file a ticket?

Updated patch attached.

--
Jan Cholasta
From 6652e17c952405c5cfcd21ac5aed07e40a1d3284 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 ipaserver/install/server/replicainstall.py | 45 ++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4554166..a42ed7e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -777,7 +777,9 @@ def ensure_enrolled(installer):
     config = installer._config
 
     # Perform only if we have the necessary options
-    if not any([installer.admin_password, installer.keytab]):
+    if not any([installer.password,
+                installer.admin_password,
+                installer.keytab]):
         sys.exit("IPA client is not configured on this system.\n"
                  "You must join the system by running 'ipa-client-install' "
                  "first. Alternatively, you may specify enrollment related "
@@ -787,6 +789,8 @@ def ensure_enrolled(installer):
     service.print_msg("Configuring client side components")
     try:
         args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+        stdin = None
+
         if installer.domain_name:
             args.extend(["--domain", installer.domain_name])
         if installer.server:
@@ -796,12 +800,16 @@ def ensure_enrolled(installer):
         if installer.host_name:
             args.extend(["--hostname", installer.host_name])
 
-        if installer.admin_password:
-            # Always set principal if password was set explicitly,
-            # the password itself gets passed directly via stdin
-            args.extend(["--principal", installer.principal or "admin"])
-        if installer.keytab:
-            args.extend(["--keytab", installer.keytab])
+        if installer.password:
+            args.extend(["--password", installer.password])
+        else:
+            if installer.admin_password:
+                # Always set principal if password was set explicitly,
+                # the password itself gets passed directly via stdin
+                args.extend(["--principal", installer.principal or "admin"])
+                stdin = installer.admin_password
+            if installer.keytab:
+                args.extend(["--keytab", installer.keytab])
 
         if installer.no_dns_sshfp:
             args.append("--no-dns-sshfp")
@@ -814,7 +822,7 @@ def ensure_enrolled(installer):
         if installer.mkhomedir:
             args.append("--mkhomedir")
 
-        ipautil.run(args, stdin=installer.admin_password or None)
+        ipautil.run(args, stdin=stdin)
 
     except Exception as e:
         sys.exit("Configuration of client side components failed!\n"
@@ -973,6 +981,9 @@ def promote_check(installer):
         add_to_ipaservers = not result
 
         if add_to_ipaservers:
+            if options.password and not options.admin_password:
+                raise errors.ACIError(info="Not authorized")
+
             if installer._ccache is None:
                 del os.environ['KRB5CCNAME']
             else:
@@ -1349,11 +1360,14 @@ class Replica(BaseServer):
                      "multiple times"),
     )
 
-    dm_password = Knob(
+    dm_password = None
+
+    password = Knob(
         BaseServer.dm_password,
-        description="Directory Manager (existing master) password",
-        cli_name='password',
-        cli_metavar='PASSWORD',
+        description=("Password to join the IPA realm. Assumes bulk password "
+                     "unless principal is also set. (domain level 1+)\n"
+                     "Directory Manager (existing master) password. "
+                     "(domain level 0)"),
     )
 
     admin_password = Knob(
@@ -1435,6 +1449,11 @@ class Replica(BaseServer):
 
         if self.replica_file is None:
             self.promote = True
+
+            if self.principal and not self.admin_password:
+                self.admin_password = self.password
+                self.password = None
+
             # If any of the PKCS#12 options are selected, all are required.
             if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
                 raise RuntimeError("--dirsrv-cert-file and --http-cert-file "
@@ -1479,8 +1498,6 @@ class Replica(BaseServer):
                     "You must specify at least one of --forwarder, "
                     "--auto-forwarders, or --no-forwarders options")
 
-        self.password = self.dm_password
-
     @step()
     def main(self):
         if self.promote:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to