from:"Lars Sjöström"

[Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

2012-03-20 Thread Lars Sjöström

Hello fellow devs,

I have a proposed patch for ticket #2106
(https://fedorahosted.org/freeipa/ticket/2106)

if return code is 13 (Host already joined) of ipa-join command the
host will try to reacquire the keytab file.

Feedback appreciated!

Cheers,
Lars
From 96d58f994ea097d9e62c7aae831066e4a25b01a9 Mon Sep 17 00:00:00 2001
From: Lars Sjostrom l...@radicore.se
Date: Tue, 20 Mar 2012 12:48:07 +0100
Subject: [PATCH] Try to reacquire keytab file if host already joined

---
 ipa-client/ipa-install/ipa-client-install |   26 ++
 1 files changed, 22 insertions(+), 4 deletions(-)
 mode change 100755 = 100644 ipa-client/ipa-install/ipa-client-install

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
old mode 100755
new mode 100644
index 75c6065..a2626b0
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1237,6 +1237,7 @@ def install(options, env, fstore, statestore):
 
 if not options.on_master:
 nolog = tuple()
+password = None
 # First test out the kerberos configuration
 try:
 # Attempt to sync time with IPA server.
@@ -1297,9 +1298,10 @@ def install(options, env, fstore, statestore):
 print stdout
 return CLIENT_INSTALL_ERROR
 elif options.password:
-nolog = (options.password,)
+password = options.password
+nolog = (password,)
 join_args.append(-w)
-join_args.append(options.password)
+join_args.append(password)
 elif options.prompt_password:
 if options.unattended:
 print Password must be provided in non-interactive mode
@@ -1318,11 +1320,27 @@ def install(options, env, fstore, statestore):
 # Now join the domain
 (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog)
 
-if returncode != 0:
+if returncode == 13:
+print %s % stderr   
+print Trying to reacquire keytab file
+getkeytab_args = [/usr/sbin/ipa-getkeytab, -s, cli_server, -p, host/%s % hostname,
+  -k, /etc/krb5.keytab]
+if password:
+getkeytab_args.append(-D) 
+getkeytab_args.append(realm_to_suffix(cli_realm))
+getkeytab_args.append(-w)
+getkeytab_args.append(password)
+(stdout, stderr, returncode) = run(getkeytab_args, raiseonerr=False, env=env, nolog=nolog)
+if returncode != 0:
+print sys.stderr, Re-acquiring of keytab file failed: %s % stderr,
+if not options.force:
+return CLIENT_INSTALL_ERROR
+else:
+print Enrolled in IPA realm %s % cli_realm 
+elif returncode != 0:
 print sys.stderr, Joining realm failed: %s % stderr,
 if not options.force:
 return CLIENT_INSTALL_ERROR
-print   Use ipa-getkeytab to obtain a host principal for this server.
 else:
 print Enrolled in IPA realm %s % cli_realm
 
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

2012-03-20 Thread Lars Sjöström

Hi,

Understood! Would it be ok to add an optional flag then?
like --reacquire ?

like so:
# run only if force and reacquire is set
if options.force and options.reacquire:
  # try to fetch keytab...

Cheers,
Lars

Den 20 mars 2012 13:44 skrev Simo Sorce s...@redhat.com:
 On Tue, 2012-03-20 at 13:00 +0100, Lars Sjöström wrote:
 Hello fellow devs,

 I have a proposed patch for ticket #2106
 (https://fedorahosted.org/freeipa/ticket/2106)

 if return code is 13 (Host already joined) of ipa-join command the
 host will try to reacquire the keytab file.

 Feedback appreciated!

 Hi Lars, at the very least this should be conditional and be allowed
 only when an override flag is passed. The reason we punt here is that
 you may be trying to join a machine with the same name of an already
 joined and working machine by mistake.
 We do not want to void that other machine credentials unless the admin
 wants to force it.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York




-- 
Lars Sjöström
Senior Consultant / Owner
Radicore AB

Mobile: +46 (0)703 021502
Email: l...@radicore.se
Web: http://www.radicore.se

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

2012-03-20 Thread Lars Sjöström

 Lars Sjöström wrote:

 Hi,

 Understood! Would it be ok to add an optional flag then?
 like --reacquire ?

 like so:
 # run only if force and reacquire is set
 if options.force and options.reacquire:
   # try to fetch keytab...

 Cheers,
 Lars


 That sounds reasonable. In what case would you want to re-enroll a host
 without disabling it first?

One use case is where you for instance reinstall your OS a lot (in a
automated fashion), the client will not have any traces left of the
IPA client config which means the client can't unenroll it self
easily. If you know you're reinstalling a lot one would put
ipa-client-install with the re-acquire flag set to let the client try
to repair it self.

One could always skip the the ipa-client-install command and script
around the ipa* commands, but I would prefer to have it supported by
ipa-client-install.

Would that make any sense? :)

Cheers,
Lars


 rob



 Den 20 mars 2012 13:44 skrev Simo Sorces...@redhat.com:

 On Tue, 2012-03-20 at 13:00 +0100, Lars Sjöström wrote:

 Hello fellow devs,

 I have a proposed patch for ticket #2106
 (https://fedorahosted.org/freeipa/ticket/2106)

 if return code is 13 (Host already joined) of ipa-join command the
 host will try to reacquire the keytab file.

 Feedback appreciated!


 Hi Lars, at the very least this should be conditional and be allowed
 only when an override flag is passed. The reason we punt here is that
 you may be trying to join a machine with the same name of an already
 joined and working machine by mistake.
 We do not want to void that other machine credentials unless the admin
 wants to force it.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York








-- 
Lars Sjöström
Senior Consultant / Owner
Radicore AB

Mobile: +46 (0)703 021502
Email: l...@radicore.se
Web: http://www.radicore.se

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] dns_discovery_domain for clients outside server domain

2011-12-21 Thread Lars Sjöström

Hello,

I have prepared a patch for https://fedorahosted.org/freeipa/ticket/2209

Feedback appreciated.

Best regards,
Lars
From 510bbfdc4e25eef715d3ceedf8e3463c771166ae Mon Sep 17 00:00:00 2001
From: Lars Sjostrom l...@radicore.se
Date: Wed, 21 Dec 2011 22:32:01 +0100
Subject: [PATCH] add disovery domain if client domain is different from
 server domain

---
 ipa-client/ipa-install/ipa-client-install |8 ++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8e945ce..e196561 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -661,7 +661,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
 except:
 print %s request for host certificate failed % (cmonger.service_name)
 
-def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
+def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain):
 try:
 sssdconfig = SSSDConfig.SSSDConfig()
 sssdconfig.import_config()
@@ -706,6 +706,10 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
 domain.add_provider('ipa', 'id')
 
+#add discovery domain if client domain different from server domain
+if cli_domain != client_domain:
+domain.set_option('dns_discovery_domain', cli_domain)
+
 if not options.on_master:
 domain.set_option('ipa_server', '_srv_, %s' % cli_server)
 else:
@@ -1123,7 +1127,7 @@ def install(options, env, fstore, statestore):
 # Always back up sssd.conf. It gets updated by authconfig --enablekrb5.
 fstore.backup_file(/etc/sssd/sssd.conf)
 if options.sssd:
-if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
+if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain):
 return CLIENT_INSTALL_ERROR
 print Configured /etc/sssd/sssd.conf
 
-- 
1.7.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

2011-10-20 Thread Lars Sjöström

Hello,

Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006

Best regards,
Lars
From cd62f50c7adba7eb7e240b9b051b90ba9cb3ce70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6str=C3=B6m?= lsjostro@lsjostro.local
Date: Thu, 20 Oct 2011 09:34:19 +0200
Subject: [PATCH] Add kerberos mapping for clients outside the IPA domain

---
 ipa-client/ipa-install/ipa-client-install |   16 ++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 85d7867..fc3437e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server):
 
 return
 
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, sys_cli_domain=None):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
 krbconf.setOptionAssignment( = )
@@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
 #[domain_realm]
 dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
   {'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+#add mapping if client is outside of IPA domain
+if sys_cli_domain:
+dropts.append({'name':'.'+sys_cli_domain, 'type':'option', 'value':cli_realm})
+dropts.append({'name':sys_cli_domain, 'type':'option', 'value':cli_realm})
+
 opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
 opts.append({'name':'empty', 'type':'empty'})
 
@@ -895,6 +901,12 @@ def install(options, env, fstore, statestore):
 cli_domain = ds.getDomainName()
 logging.debug(will use domain: %s\n, cli_domain)
 
+p = hostname.find(.)
+sys_cli_domain = hostname[p+1:]
+ 
+if sys_cli_domain == cli_domain:
+sys_cli_domain = None
+
 if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
 or not ds.getServerName():
 logging.debug(IPA Server not found)
@@ -1015,7 +1027,7 @@ def install(options, env, fstore, statestore):
 print Unable to sync time with IPA NTP server, assuming the time is in sync.
 (krb_fd, krb_name) = tempfile.mkstemp()
 os.close(krb_fd)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, sys_cli_domain):
 print Test kerberos configuration failed
 return CLIENT_INSTALL_ERROR
 env['KRB5_CONFIG'] = krb_name
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

Re: [Freeipa-devel] [PATCH] Try to reacquire keytab file if host already joined

[Freeipa-devel] dns_discovery_domain for clients outside server domain

[Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

5 matches

Site Navigation

Mail list logo

Footer information