Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

2016-06-07 Thread Martin Basti 



On 07.06.2016 17:25, Florence Blanc-Renaud wrote:

On 06/06/2016 07:18 PM, Martin Basti wrote:




On 02.06.2016 14:58, Florence Blanc-Renaud wrote:


Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH 
connection to the master, so that the username is always fully 
qualified.


https://fedorahosted.org/freeipa/ticket/5812
--
Florence Blanc-Renaud
Identity Management Team, Red Hat




LGTM, but because current issues with replica install in master 
branch, I couldn't test it and I would like to be sure that 
ipa-replica-install using NTP will work too



Just little nitpick, for better readibility, 'command' should be on 
new line

-'%s@%s' % (self.user, self.addr), command
+'-o User=%s' % self.user,
+'%s' % self.addr, command

Martin^2


Hi Martin,

thanks for the review. I am attaching a new patch with your 
suggestion. Just for my record, what would be the command-line options 
to test the scenario you're referring to?


Flo.



Hello,

scenario is:
1. install server
2. create host entry with OTP (ipa host-add replica.hostname 
--password=OTPpasswd)
3. add host to ipaservers group (ipa hostgroup-add-member ipaservers 
--hosts=replica.hostname)
4. install replica (ipa-replica-install --server  
--domain  --password=OTPpasswd)


Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

2016-06-07 Thread Florence Blanc-Renaud 

On 06/06/2016 07:18 PM, Martin Basti wrote:




On 02.06.2016 14:58, Florence Blanc-Renaud wrote:


Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH 
connection to the master, so that the username is always fully qualified.


https://fedorahosted.org/freeipa/ticket/5812
--
Florence Blanc-Renaud
Identity Management Team, Red Hat




LGTM, but because current issues with replica install in master 
branch, I couldn't test it and I would like to be sure that 
ipa-replica-install using NTP will work too



Just little nitpick, for better readibility, 'command' should be on 
new line

-'%s@%s' % (self.user, self.addr), command
+'-o User=%s' % self.user,
+'%s' % self.addr, command

Martin^2


Hi Martin,

thanks for the review. I am attaching a new patch with your suggestion. 
Just for my record, what would be the command-line options to test the 
scenario you're referring to?


Flo.

From c044d89b789c91384ac0c648e1f2eee88cac4cf3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Wed, 1 Jun 2016 17:42:48 +0200
Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck

ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \
-o GSSAPIAuthentication=yes @ \
echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal ad...@example.com).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \
-o GSSAPIAuthentication=yes -o User= \
 echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812
---
 install/tools/ipa-replica-conncheck | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdf08d63127614a9b26995026e3c25806003f5a0..991f4e429dd1df7036b4a1c0175ca5daaea521ad 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,9 @@ class SshExec(object):
 '-o StrictHostKeychecking=no',
 '-o UserKnownHostsFile=%s' % tmpf.name,
 '-o GSSAPIAuthentication=yes',
-'%s@%s' % (self.user, self.addr), command
+'-o User=%s' % self.user,
+'%s' % self.addr,
+command
 ]
 if verbose:
 cmd.insert(1, '-v')
@@ -517,7 +519,8 @@ def main():
 except Exception:
 print_info("Retrying using SSH...")
 
-user = principal.partition('@')[0]
+# Ticket 5812 Always qualify requests for admin
+user = principal
 ssh = SshExec(user, options.master)
 
 print_info("Check SSH connection to remote master")
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

2016-06-06 Thread Martin Basti 



On 02.06.2016 14:58, Florence Blanc-Renaud wrote:


Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH 
connection to the master, so that the username is always fully qualified.


https://fedorahosted.org/freeipa/ticket/5812
--
Florence Blanc-Renaud
Identity Management Team, Red Hat




LGTM, but because current issues with replica install in master branch, 
I couldn't test it and I would like to be sure that ipa-replica-install 
using NTP will work too



Just little nitpick, for better readibility, 'command' should be on new line
-'%s@%s' % (self.user, self.addr), command
+'-o User=%s' % self.user,
+'%s' % self.addr, command

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

2016-06-02 Thread Florence Blanc-Renaud 

Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH 
connection to the master, so that the username is always fully qualified.


https://fedorahosted.org/freeipa/ticket/5812

--
Florence Blanc-Renaud
Identity Management Team, Red Hat

From ea7e2dbdce797f0640b752aff3064956b2bd1639 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Wed, 1 Jun 2016 17:42:48 +0200
Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck

ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \
-o GSSAPIAuthentication=yes @ \
echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal ad...@example.com).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile= \
-o GSSAPIAuthentication=yes -o User= \
 echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812
---
 install/tools/ipa-replica-conncheck | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index d88291e55cdee7ea959d73f7535dd3db4ca2c31d..0008fb399022a180d38c36b14377f05068da420b 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,8 @@ class SshExec(object):
 '-o StrictHostKeychecking=no',
 '-o UserKnownHostsFile=%s' % tmpf.name,
 '-o GSSAPIAuthentication=yes',
-'%s@%s' % (self.user, self.addr), command
+'-o User=%s' % self.user,
+'%s' % self.addr, command
 ]
 if verbose:
 cmd.insert(1, '-v')
@@ -515,7 +516,8 @@ def main():
 except Exception:
 print_info("Retrying using SSH...")
 
-user = principal.partition('@')[0]
+# Ticket 5812 Always qualify requests for admin
+user = principal
 ssh = SshExec(user, options.master)
 
 print_info("Check SSH connection to remote master")
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code