URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, it turns out the request fails not on the replica, but on the initial 
master, so it's actually `ipa-server-install` which is broken - if you install 
server from current master and replica from this PR it works fine. Steps to 
reproduce:
```
server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U
...
replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla
```

Note that you won't actually be able to do the above, as the 
`ipa-server-install` step will fail with:
```
Restarting the KDC
Please add records in this file to your DNS system: 
/tmp/ipa.system.records.xLK2pI.db
Unable to set admin password Command '/usr/bin/ldappasswd -h 
vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y 
/var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP 
uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'
 returned non-zero exit status 1
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA 
server
Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to 
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
This does not happen with current master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275044170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to