Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

[Martin Basti]

On 08.12.2015 13:19, Martin Basti wrote:

On 08.12.2015 13:09, Jan Cholasta wrote:

On 8.12.2015 12:49, Martin Basti wrote:

On 08.12.2015 10:31, Martin Basti wrote:

On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:

On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes
<https://fedorahosted.org/freeipa/ticket/5498>.

Note that you still have to provide admin password in

ipa-replica-install, either using --admin-password or interactively,

because:

a) Admin password is required for replica promotion. This will be
fixed
with <https://fedorahosted.org/freeipa/ticket/5401>.

Patches are on the list:

<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.

Pushed.

b) Admin password is required for connection check. This will be
fixed
with <https://fedorahosted.org/freeipa/ticket/5497>.

Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.

1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO

this is for conncheck)

The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525

2)

When host is not in ipaservers hostgroup. Also I would expect different

error message

ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com

--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck

....
     step()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",

line 352, in <lambda>
     step = lambda: next(self.__gen)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",

line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)

File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",

line 63, in _install
     for nothing in self._installer(self.parent):
   File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 1507, in main
     promote_check(self)
   File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 374, in decorated
     func(installer)
   File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 1002, in promote_check
     conn.connect(ccache=installer._ccache)

File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,

in connect
     conn = self.create_connection(*args, **kw)

File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",

line 199, in create_connection
     principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
     raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,

exception: CCacheError: Major (851968): Unspecified GSS failure. Minor

code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos
credentials available

Fixed.

3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERROR The

ipa-replica-install command failed. See /var/log/ipareplica-install.log

for more information

This is the same as 2).

4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of

client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'

'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'

'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR The

ipa-replica-install command failed. See /var/log/ipareplica-install.log

for more information

The same thing happens without my patch for any other error. Could
you file a ticket?

https://fedorahosted.org/freeipa/ticket/5527

Updated patch attached.

Working on review

Is this expected that client will be installed even if there is not
enough privileges to install replica?

# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com  --domain
abc.idm.lab.eng.brq.redhat.com --password bubak --skip-conncheck
Configuring client side components
ipa.ipapython.install.cli.install_tool(Replica): ERROR
Insufficient privileges to promote the server.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information

Yes. The check can't be done without the host keytab, which you get with ipa-client-install. If ipa-client-install wasn't monolithic, the check could be done earlier, but we are not there yet.

The client should be probably uninstalled in case of failure, though.

ACK

I will report this in a separate ticket

Pushed to master: faf608556427849b33f4525b9bac2e71020bb962

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code