Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck
On 07.06.2016 17:25, Florence Blanc-Renaud wrote: On 06/06/2016 07:18 PM, Martin Basti wrote: On 02.06.2016 14:58, Florence Blanc-Renaud wrote: Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management Team, Red Hat LGTM, but because current issues with replica install in master branch, I couldn't test it and I would like to be sure that ipa-replica-install using NTP will work too Just little nitpick, for better readibility, 'command' should be on new line -'%s@%s' % (self.user, self.addr), command +'-o User=%s' % self.user, +'%s' % self.addr, command Martin^2 Hi Martin, thanks for the review. I am attaching a new patch with your suggestion. Just for my record, what would be the command-line options to test the scenario you're referring to? Flo. Hello, scenario is: 1. install server 2. create host entry with OTP (ipa host-add replica.hostname --password=OTPpasswd) 3. add host to ipaservers group (ipa hostgroup-add-member ipaservers --hosts=replica.hostname) 4. install replica (ipa-replica-install --server --domain --password=OTPpasswd) Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck
On 06/06/2016 07:18 PM, Martin Basti wrote: On 02.06.2016 14:58, Florence Blanc-Renaud wrote: Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management Team, Red Hat LGTM, but because current issues with replica install in master branch, I couldn't test it and I would like to be sure that ipa-replica-install using NTP will work too Just little nitpick, for better readibility, 'command' should be on new line -'%s@%s' % (self.user, self.addr), command +'-o User=%s' % self.user, +'%s' % self.addr, command Martin^2 Hi Martin, thanks for the review. I am attaching a new patch with your suggestion. Just for my record, what would be the command-line options to test the scenario you're referring to? Flo. From c044d89b789c91384ac0c648e1f2eee88cac4cf3 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Wed, 1 Jun 2016 17:42:48 +0200 Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \ -o GSSAPIAuthentication=yes @ \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal ad...@example.com). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \ -o GSSAPIAuthentication=yes -o User= \ echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 --- install/tools/ipa-replica-conncheck | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdf08d63127614a9b26995026e3c25806003f5a0..991f4e429dd1df7036b4a1c0175ca5daaea521ad 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -66,7 +66,9 @@ class SshExec(object): '-o StrictHostKeychecking=no', '-o UserKnownHostsFile=%s' % tmpf.name, '-o GSSAPIAuthentication=yes', -'%s@%s' % (self.user, self.addr), command +'-o User=%s' % self.user, +'%s' % self.addr, +command ] if verbose: cmd.insert(1, '-v') @@ -517,7 +519,8 @@ def main(): except Exception: print_info("Retrying using SSH...") -user = principal.partition('@')[0] +# Ticket 5812 Always qualify requests for admin +user = principal ssh = SshExec(user, options.master) print_info("Check SSH connection to remote master") -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck
On 02.06.2016 14:58, Florence Blanc-Renaud wrote: Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management Team, Red Hat LGTM, but because current issues with replica install in master branch, I couldn't test it and I would like to be sure that ipa-replica-install using NTP will work too Just little nitpick, for better readibility, 'command' should be on new line -'%s@%s' % (self.user, self.addr), command +'-o User=%s' % self.user, +'%s' % self.addr, command Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck
Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management Team, Red Hat From ea7e2dbdce797f0640b752aff3064956b2bd1639 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Wed, 1 Jun 2016 17:42:48 +0200 Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \ -o GSSAPIAuthentication=yes @ \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal ad...@example.com). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \ -o GSSAPIAuthentication=yes -o User= \ echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 --- install/tools/ipa-replica-conncheck | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index d88291e55cdee7ea959d73f7535dd3db4ca2c31d..0008fb399022a180d38c36b14377f05068da420b 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -66,7 +66,8 @@ class SshExec(object): '-o StrictHostKeychecking=no', '-o UserKnownHostsFile=%s' % tmpf.name, '-o GSSAPIAuthentication=yes', -'%s@%s' % (self.user, self.addr), command +'-o User=%s' % self.user, +'%s' % self.addr, command ] if verbose: cmd.insert(1, '-v') @@ -515,7 +516,8 @@ def main(): except Exception: print_info("Retrying using SSH...") -user = principal.partition('@')[0] +# Ticket 5812 Always qualify requests for admin +user = principal ssh = SshExec(user, options.master) print_info("Check SSH connection to remote master") -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code