Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. This will fix the plugin as far as adding entries but will cause ipa-join to report a warning that the principal already exists. I realize that this has already been pushed but the ticket should be re-opened and another look taken at this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Rob Crittenden wrote: Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. I though that enrollment is based only on presence of the keytab. Since the the principal is not something that can be changed why it can't be created when the entry is created? Does the current logic delete the principal when the machine is un-enrolled from CLI or GUI. It seems logical to just check the presence of the keytab. If it is there enrolled. If not then does not. Am I missing something? This will fix the plugin as far as adding entries but will cause ipa-join to report a warning that the principal already exists. I realize that this has already been pushed but the ticket should be re-opened and another look taken at this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
On Wed, 19 Jan 2011 15:12:03 -0500 Rob Crittenden rcrit...@redhat.com wrote: Pavel Zuna wrote: Fix #798 Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. This will fix the plugin as far as adding entries but will cause ipa-join to report a warning that the principal already exists. I realize that this has already been pushed but the ticket should be re-opened and another look taken at this. Should we revert in the meanwhile ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pal d...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory Manager and uid=kdc, so no user can check for it's presence as our aci prevent any access for reading (and rightly so). I think the krbPrincipalNAme attribute was used to check if kerberos credentials were assigned. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Simo Sorce wrote: On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pald...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory Manager and uid=kdc, so no user can check for it's presence as our aci prevent any access for reading (and rightly so). I think the krbPrincipalNAme attribute was used to check if kerberos credentials were assigned. Simo. Yes, that's right. We also use krbLastPwdChange for this purpose but the krbPrincipalName work predated this. We might need to revisit what I originally did which is why I think the patch is ok for now. For now, at least as far as I can tell, it just causes a strange message in ipa-join. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Rob Crittenden wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pald...@redhat.com wrote: I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory Manager and uid=kdc, so no user can check for it's presence as our aci prevent any access for reading (and rightly so). I think the krbPrincipalNAme attribute was used to check if kerberos credentials were assigned. Simo. Yes, that's right. We also use krbLastPwdChange for this purpose but the krbPrincipalName work predated this. We might need to revisit what I originally did which is why I think the patch is ok for now. For now, at least as far as I can tell, it just causes a strange message in ipa-join. Yes the one that I noticed yesterday stating that principal exists. Ok I am corrected let us reopen the ticket. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Fix #798 Pavel From a013e19957b33ca84102efdc0be7448eb3a83423 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 18 Jan 2011 15:43:07 -0500 Subject: [PATCH 2/2] Fix password/random logic in host plugin. Fix #798 --- ipalib/plugins/host.py | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 0a40705..6947d90 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -319,16 +319,19 @@ class host_add(LDAPCreate): del entry_attrs['locality'] entry_attrs['cn'] = keys[-1] entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0] -if 'userpassword' not in entry_attrs and \ -options.get('random', False) == False: +if 'userpassword' not in entry_attrs and not options.get('random', False): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) -if 'krbprincipalaux' not in entry_attrs['objectclass']: -entry_attrs['objectclass'].append('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: entry_attrs['objectclass'].append('krbprincipal') -elif 'krbprincipalaux' in entry_attrs['objectclass']: -entry_attrs['objectclass'].remove('krbprincipalaux') +if 'krbprincipal' not in entry_attrs: +entry_attrs['objectclass'].append('krbprincipalaux') +else: +if 'krbprincipal' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipal') +if 'krbprincipalaux' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipalaux') if 'random' in options: if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password() -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2011 06:27 PM, Pavel Zuna wrote: Fix #798 Pavel Ack (again, fast ack because I tested off-list before sending) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/ =KpUx -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
On 01/18/2011 12:32 PM, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2011 06:27 PM, Pavel Zuna wrote: Fix #798 Pavel Ack (again, fast ack because I tested off-list before sending) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/ =KpUx -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel