At least once I had kinit fail to get a proper ticket and yet not return
an error. I honestly was not able to reproduce, but add a double check
to make sure we actually got a usable ticket so that ssh does no prompt
again for the admin user password.
Fixes: https://fedorahosted.org/freeipa/ticket/1746
--
Simo Sorce * Red Hat, Inc * New York
>From aa8bdfea9c2e464977d31571bd623c8ac711f02e Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 31 Aug 2011 14:13:32 -0400
Subject: [PATCH 2/2] conncheck: Additional check to verify the admin password
is ok
If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).
---
install/tools/ipa-replica-conncheck | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 18eeacdf45bf78009a08db9da462ef2fab4e31ee..d6e03f8d13a7a9bde004619a47cfec4dedba8ab5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -308,6 +308,15 @@ def main():
if returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
+ # Verify kinit was actually successful
+ stderr=''
+ (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno',
+ 'host/%s' % options.master],
+ env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+ raiseonerr=False)
+ if returncode != 0:
+ raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
remote_check_opts = ['--replica %s' % options.hostname]
print_info("Execute check on remote master")
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
