Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden 

Pavel Zuna wrote:

Fix #798

Pavel



I don't think this is the right fix.

IIRC the idea was that pre-created hosts with a password (either 
provided or random) would not have a principal. The principal would be 
added once the host is enrolled.


This will fix the plugin as far as adding entries but will cause 
ipa-join to report a warning that the principal already exists.


I realize that this has already been pushed but the ticket should be 
re-opened and another look taken at this.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal 
Rob Crittenden wrote:
 Pavel Zuna wrote:
 Fix #798

 Pavel


 I don't think this is the right fix.

 IIRC the idea was that pre-created hosts with a password (either
 provided or random) would not have a principal. The principal would be
 added once the host is enrolled.
I though that enrollment is based only on presence of the keytab. Since
the the principal is not something that can be changed why it can't be
created when the entry is created?
Does the current logic delete the principal when the machine is
un-enrolled from CLI or GUI. It seems logical to just check the presence
of the keytab. If it is there enrolled. If not then does not.
Am I missing something?



 This will fix the plugin as far as adding entries but will cause
 ipa-join to report a warning that the principal already exists.

 I realize that this has already been pushed but the ticket should be
 re-opened and another look taken at this.

 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 15:12:03 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 Pavel Zuna wrote:
  Fix #798
 
  Pavel
 
 
 I don't think this is the right fix.
 
 IIRC the idea was that pre-created hosts with a password (either 
 provided or random) would not have a principal. The principal would
 be added once the host is enrolled.
 
 This will fix the plugin as far as adding entries but will cause 
 ipa-join to report a warning that the principal already exists.
 
 I realize that this has already been pushed but the ticket should be 
 re-opened and another look taken at this.

Should we revert in the meanwhile ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pal d...@redhat.com wrote:

 I though that enrollment is based only on presence of the keytab.

By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Rob Crittenden 

Simo Sorce wrote:

On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pald...@redhat.com  wrote:


I though that enrollment is based only on presence of the keytab.


By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.

Simo.



Yes, that's right. We also use krbLastPwdChange for this purpose but the 
krbPrincipalName work predated this.


We might need to revisit what I originally did which is why I think the 
patch is ok for now. For now, at least as far as I can tell, it just 
causes a strange message in ipa-join.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-19 Thread Dmitri Pal 
Rob Crittenden wrote:
 Simo Sorce wrote:
 On Wed, 19 Jan 2011 15:22:22 -0500
 Dmitri Pald...@redhat.com  wrote:

 I though that enrollment is based only on presence of the keytab.

 By keytab I guess you mean the krbPrincipalKey attribute.
 The presence of that attribute is unknown to all users except
 cn=Directory Manager and uid=kdc, so no user can check for it's
 presence as our aci prevent any access for reading (and rightly so).

 I think the krbPrincipalNAme attribute was used to check if kerberos
 credentials were assigned.

 Simo.


 Yes, that's right. We also use krbLastPwdChange for this purpose but
 the krbPrincipalName work predated this.

 We might need to revisit what I originally did which is why I think
 the patch is ok for now. For now, at least as far as I can tell, it
 just causes a strange message in ipa-join.



Yes the one that I noticed yesterday stating that principal exists.
Ok I am corrected let us reopen the ticket.

 rob

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-18 Thread Pavel Zuna 

Fix #798

Pavel
From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Tue, 18 Jan 2011 15:43:07 -0500
Subject: [PATCH 2/2] Fix password/random logic in host plugin.

Fix #798
---
 ipalib/plugins/host.py |   15 +--
 1 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 0a40705..6947d90 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -319,16 +319,19 @@ class host_add(LDAPCreate):
 del entry_attrs['locality']
 entry_attrs['cn'] = keys[-1]
 entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
-if 'userpassword' not in entry_attrs and \
-options.get('random', False) == False:
+if 'userpassword' not in entry_attrs and not options.get('random', False):
 entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
 keys[-1], self.api.env.realm
 )
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
-entry_attrs['objectclass'].append('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
 entry_attrs['objectclass'].append('krbprincipal')
-elif 'krbprincipalaux' in entry_attrs['objectclass']:
-entry_attrs['objectclass'].remove('krbprincipalaux')
+if 'krbprincipal' not in entry_attrs:
+entry_attrs['objectclass'].append('krbprincipalaux')
+else:
+if 'krbprincipal' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipal')
+if 'krbprincipalaux' in entry_attrs['objectclass']:
+entry_attrs['objectclass'].remove('krbprincipalaux')
 if 'random' in options:
 if options.get('random'):
 entry_attrs['userpassword'] = ipa_generate_password()
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-18 Thread Jakub Hrozek 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2011 06:27 PM, Pavel Zuna wrote:
 Fix #798
 
 Pavel
 

Ack (again, fast ack because I tested off-list before sending)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h
XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/
=KpUx
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

2011-01-18 Thread Adam Young 

On 01/18/2011 12:32 PM, Jakub Hrozek wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2011 06:27 PM, Pavel Zuna wrote:

Fix #798

Pavel


Ack (again, fast ack because I tested off-list before sending)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h
XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/
=KpUx
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel