[Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined
Hello fellow devs, I have a proposed patch for ticket #2106 (https://fedorahosted.org/freeipa/ticket/2106) if return code is 13 (Host already joined) of ipa-join command the host will try to reacquire the keytab file. Feedback appreciated! Cheers, Lars From 96d58f994ea097d9e62c7aae831066e4a25b01a9 Mon Sep 17 00:00:00 2001 From: Lars Sjostrom l...@radicore.se Date: Tue, 20 Mar 2012 12:48:07 +0100 Subject: [PATCH] Try to reacquire keytab file if host already joined --- ipa-client/ipa-install/ipa-client-install | 26 ++ 1 files changed, 22 insertions(+), 4 deletions(-) mode change 100755 = 100644 ipa-client/ipa-install/ipa-client-install diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install old mode 100755 new mode 100644 index 75c6065..a2626b0 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1237,6 +1237,7 @@ def install(options, env, fstore, statestore): if not options.on_master: nolog = tuple() +password = None # First test out the kerberos configuration try: # Attempt to sync time with IPA server. @@ -1297,9 +1298,10 @@ def install(options, env, fstore, statestore): print stdout return CLIENT_INSTALL_ERROR elif options.password: -nolog = (options.password,) +password = options.password +nolog = (password,) join_args.append(-w) -join_args.append(options.password) +join_args.append(password) elif options.prompt_password: if options.unattended: print Password must be provided in non-interactive mode @@ -1318,11 +1320,27 @@ def install(options, env, fstore, statestore): # Now join the domain (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog) -if returncode != 0: +if returncode == 13: +print %s % stderr +print Trying to reacquire keytab file +getkeytab_args = [/usr/sbin/ipa-getkeytab, -s, cli_server, -p, host/%s % hostname, + -k, /etc/krb5.keytab] +if password: +getkeytab_args.append(-D) +getkeytab_args.append(realm_to_suffix(cli_realm)) +getkeytab_args.append(-w) +getkeytab_args.append(password) +(stdout, stderr, returncode) = run(getkeytab_args, raiseonerr=False, env=env, nolog=nolog) +if returncode != 0: +print sys.stderr, Re-acquiring of keytab file failed: %s % stderr, +if not options.force: +return CLIENT_INSTALL_ERROR +else: +print Enrolled in IPA realm %s % cli_realm +elif returncode != 0: print sys.stderr, Joining realm failed: %s % stderr, if not options.force: return CLIENT_INSTALL_ERROR -print Use ipa-getkeytab to obtain a host principal for this server. else: print Enrolled in IPA realm %s % cli_realm -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined
Hi, Understood! Would it be ok to add an optional flag then? like --reacquire ? like so: # run only if force and reacquire is set if options.force and options.reacquire: # try to fetch keytab... Cheers, Lars Den 20 mars 2012 13:44 skrev Simo Sorce s...@redhat.com: On Tue, 2012-03-20 at 13:00 +0100, Lars Sjöström wrote: Hello fellow devs, I have a proposed patch for ticket #2106 (https://fedorahosted.org/freeipa/ticket/2106) if return code is 13 (Host already joined) of ipa-join command the host will try to reacquire the keytab file. Feedback appreciated! Hi Lars, at the very least this should be conditional and be allowed only when an override flag is passed. The reason we punt here is that you may be trying to join a machine with the same name of an already joined and working machine by mistake. We do not want to void that other machine credentials unless the admin wants to force it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Lars Sjöström Senior Consultant / Owner Radicore AB Mobile: +46 (0)703 021502 Email: l...@radicore.se Web: http://www.radicore.se ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined
Lars Sjöström wrote: Hi, Understood! Would it be ok to add an optional flag then? like --reacquire ? like so: # run only if force and reacquire is set if options.force and options.reacquire: # try to fetch keytab... Cheers, Lars That sounds reasonable. In what case would you want to re-enroll a host without disabling it first? One use case is where you for instance reinstall your OS a lot (in a automated fashion), the client will not have any traces left of the IPA client config which means the client can't unenroll it self easily. If you know you're reinstalling a lot one would put ipa-client-install with the re-acquire flag set to let the client try to repair it self. One could always skip the the ipa-client-install command and script around the ipa* commands, but I would prefer to have it supported by ipa-client-install. Would that make any sense? :) Cheers, Lars rob Den 20 mars 2012 13:44 skrev Simo Sorces...@redhat.com: On Tue, 2012-03-20 at 13:00 +0100, Lars Sjöström wrote: Hello fellow devs, I have a proposed patch for ticket #2106 (https://fedorahosted.org/freeipa/ticket/2106) if return code is 13 (Host already joined) of ipa-join command the host will try to reacquire the keytab file. Feedback appreciated! Hi Lars, at the very least this should be conditional and be allowed only when an override flag is passed. The reason we punt here is that you may be trying to join a machine with the same name of an already joined and working machine by mistake. We do not want to void that other machine credentials unless the admin wants to force it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Lars Sjöström Senior Consultant / Owner Radicore AB Mobile: +46 (0)703 021502 Email: l...@radicore.se Web: http://www.radicore.se ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] dns_discovery_domain for clients outside server domain
Hello, I have prepared a patch for https://fedorahosted.org/freeipa/ticket/2209 Feedback appreciated. Best regards, Lars From 510bbfdc4e25eef715d3ceedf8e3463c771166ae Mon Sep 17 00:00:00 2001 From: Lars Sjostrom l...@radicore.se Date: Wed, 21 Dec 2011 22:32:01 +0100 Subject: [PATCH] add disovery domain if client domain is different from server domain --- ipa-client/ipa-install/ipa-client-install |8 ++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 8e945ce..e196561 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -661,7 +661,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print %s request for host certificate failed % (cmonger.service_name) -def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): +def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain): try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() @@ -706,6 +706,10 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): domain.add_provider('ipa', 'id') +#add discovery domain if client domain different from server domain +if cli_domain != client_domain: +domain.set_option('dns_discovery_domain', cli_domain) + if not options.on_master: domain.set_option('ipa_server', '_srv_, %s' % cli_server) else: @@ -1123,7 +1127,7 @@ def install(options, env, fstore, statestore): # Always back up sssd.conf. It gets updated by authconfig --enablekrb5. fstore.backup_file(/etc/sssd/sssd.conf) if options.sssd: -if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): +if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain): return CLIENT_INSTALL_ERROR print Configured /etc/sssd/sssd.conf -- 1.7.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain
Hello, Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006 Best regards, Lars From cd62f50c7adba7eb7e240b9b051b90ba9cb3ce70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20Sj=C3=B6str=C3=B6m?= lsjostro@lsjostro.local Date: Thu, 20 Oct 2011 09:34:19 +0200 Subject: [PATCH] Add kerberos mapping for clients outside the IPA domain --- ipa-client/ipa-install/ipa-client-install | 16 ++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 85d7867..fc3437e 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server): return -def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename): +def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, sys_cli_domain=None): krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) krbconf.setOptionAssignment( = ) @@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c #[domain_realm] dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm}, {'name':cli_domain, 'type':'option', 'value':cli_realm}] + +#add mapping if client is outside of IPA domain +if sys_cli_domain: +dropts.append({'name':'.'+sys_cli_domain, 'type':'option', 'value':cli_realm}) +dropts.append({'name':sys_cli_domain, 'type':'option', 'value':cli_realm}) + opts.append({'name':'domain_realm', 'type':'section', 'value':dropts}) opts.append({'name':'empty', 'type':'empty'}) @@ -895,6 +901,12 @@ def install(options, env, fstore, statestore): cli_domain = ds.getDomainName() logging.debug(will use domain: %s\n, cli_domain) +p = hostname.find(.) +sys_cli_domain = hostname[p+1:] + +if sys_cli_domain == cli_domain: +sys_cli_domain = None + if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ or not ds.getServerName(): logging.debug(IPA Server not found) @@ -1015,7 +1027,7 @@ def install(options, env, fstore, statestore): print Unable to sync time with IPA NTP server, assuming the time is in sync. (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) -if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name): +if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, sys_cli_domain): print Test kerberos configuration failed return CLIENT_INSTALL_ERROR env['KRB5_CONFIG'] = krb_name -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel