Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/08/2013 03:01 PM, Tomas Babej wrote: > On Thu 07 Mar 2013 11:01:33 PM CET, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: > Thanks! I just have two more very minor nitpicks. > > On 03/06/2013 01:04 PM, Tomas Babej wrote: >> On 03/05/2013 02:10 PM, Petr Viktorin wrote: >>> Thanks! The mechanism works, but see below. >>> >>> This is a RFE so it needs a design document. >>> >> http://freeipa.org/page/V3/Client_install_using_keytab > > Please also add the link to the commit message. > > > I think you answered Petr²'s security questions adequately. > Petr, note that this is a client-side change; if the keytab is > compromised the attacker can do all this manually anyway. > >> diff --git a/ipa-client/ipa-install/ipa-client-install >> b/ipa-client/ipa-install/ipa-client-install >> index >> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b >> >> >> >> 100755 >> --- a/ipa-client/ipa-install/ipa-client-install >> +++ b/ipa-client/ipa-install/ipa-client-install >> @@ -104,6 +104,8 @@ def parse_options(): > [...] >> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): >> except ipaclient.ntpconf.NTPConfigurationError: >> pass >> >> -if options.unattended and (options.password is None and >> options.principal is None and options.prompt_password is False) and >> not options.on_master: >> -root_logger.error("One of password and principal are >> required.") >> +if options.unattended and ((options.password is None and >> +options.principal is None and >> +options.keytab is None and >> +options.prompt_password is False)\ >> +and not options.on_master): > > Please also remove the inner parentheses and the backslash. > Both fixed, updated patch attached. Tomas >>> >>> ACK, thanks! >>> >> >> This needs related man page updates before we can push it. >> > > Man pages updated: > > [tbabej@thinkpad7 freeipa]$ git diff > diff --git a/ipa-client/man/ipa-client-install.1 > b/ipa-client/man/ipa-client-ins > [...] > +\fB\-k\fR, \fB\-\-keytab\fR > +Path to backed up host keytab from previous enrollment. > +.TP > [...] > diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 > [...] > +\fB\-f,\-\-force\fR > +Force enrolling the host even if host entry exists. > +.TP > >> Can you update the design to specifically include that the old >> certificate needs to be revoked, not just that a new certificate be >> issued (sort of implied, and it worked in my testing)? > > I updated the design page accordingly. However, shouldn't be this handled by > server side automatically? > >> rob > > Updated patch attached. > I see the requested man page is there, the patches look OK now. Thus, second ACK, pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On Thu 07 Mar 2013 11:01:33 PM CET, Rob Crittenden wrote: Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. Both fixed, updated patch attached. Tomas ACK, thanks! This needs related man page updates before we can push it. Man pages updated: [tbabej@thinkpad7 freeipa]$ git diff diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-ins [...] +\fB\-k\fR, \fB\-\-keytab\fR +Path to backed up host keytab from previous enrollment. +.TP [...] diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 [...] +\fB\-f,\-\-force\fR +Force enrolling the host even if host entry exists. +.TP Can you update the design to specifically include that the old certificate needs to be revoked, not just that a new certificate be issued (sort of implied, and it worked in my testing)? I updated the design page accordingly. However, shouldn't be this handled by server side automatically? rob Updated patch attached. >From 73f533075321520fb94218641e1d45533cdfa9f3 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374 --- ipa-client/ipa-install/ipa-client-install | 40 +++ ipa-client/ipa-join.c | 14 +++ ipa-client/man/ipa-client-install.1 | 3 +++ ipa-client/man/ipa-join.1 | 3 +++ 4 files changed, 50 insertions(+), 10 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..bd458ed09856dfccd161b1dc96f4b1e0ec7f7e40 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), +basic_group.add_option("-k", "--keytab", dest="keytab", + help="path to backed up keytab from previous enrollment"), basic_group.add_option("-W", dest="prompt_password", action="store_true", default=False, help="Prompt for a password to join the IPA realm"), @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of pass
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. Both fixed, updated patch attached. Tomas ACK, thanks! This needs related man page updates before we can push it. Can you update the design to specifically include that the old certificate needs to be revoked, not just that a new certificate be issued (sort of implied, and it worked in my testing)? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On Thu 07 Mar 2013 04:54:02 PM CET, Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. Both fixed, updated patch attached. Tomas ACK, thanks! With your blessing, I moved the link to the design page from V3 proposals to V3 designs. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. Both fixed, updated patch attached. Tomas ACK, thanks! -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. Both fixed, updated patch attached. Tomas >From 1833de2b4c55f6342a80c0ca1c8e103c8bf3189e Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374 --- ipa-client/ipa-install/ipa-client-install | 40 +++ ipa-client/ipa-join.c | 14 +++ 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..bd458ed09856dfccd161b1dc96f4b1e0ec7f7e40 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), +basic_group.add_option("-k", "--keytab", dest="keytab", + help="path to backed up keytab from previous enrollment"), basic_group.add_option("-W", dest="prompt_password", action="store_true", default=False, help="Prompt for a password to join the IPA realm"), @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and (options.password is None and + options.principal is None and + options.keytab is None and + options.prompt_password is False and + not options.on_master): +root_logger.error("One of password / principal / keytab is required.") return CLIENT_INSTALL_ERROR if options.hostname: @@ -1910,8 +1916,10 @@ def install(options, env, fstore, statestore): ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname) if not options.unattended: -if options.principal is None and options.password is None and options.prompt_password is False: -options.principal = user_input("User authorized to enroll computers", allow_empty=False) +if (options.principal is None and options.password is None and +options.prompt_password is False and options.keytab
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab Please also add the link to the commit message. I think you answered Petr²'s security questions adequately. Petr, note that this is a client-side change; if the keytab is compromised the attacker can do all this manually anyway. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): [...] @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: -root_logger.error("One of password and principal are required.") +if options.unattended and ((options.password is None and +options.principal is None and +options.keytab is None and +options.prompt_password is False)\ +and not options.on_master): Please also remove the inner parentheses and the backslash. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/06/2013 01:30 PM, Petr Spacek wrote: On 6.3.2013 13:04, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab I added "Security Considerations" section with couple questions inside. Please add more details about un-enrolling process, pre-requirements and so on. I improved the design and added additional explanations to Security Considerations and elsewhere. Please have a look if anything needs more clarification. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 6.3.2013 13:04, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab I added "Security Considerations" section with couple questions inside. Please add more details about un-enrolling process, pre-requirements and so on. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/05/2013 02:10 PM, Petr Viktorin wrote: Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. http://freeipa.org/page/V3/Client_install_using_keytab For context, I'll include your comment from trac: > From my investigation I would conclude that we cannot support client > install using backed-up keytab when the host has been unenrolled > (e.g. after running ipa-client-install --uninstall). When > unenrolling, we disable the host entry in LDAP and therefore > effectively disable the Kerberos key, SSL certificate and all > services of a host. > > We should only support reenrollment for clients that have not been > unenrolled, and therefore still have valid Kerberos key. I think it also makes sense from a security point of view: if the machine is compromised, I'd expect that after unenrolling it can't come back on its own. Yes, that's also an issue here. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. With the patch this only works with --unatended; in interactive mode it still asks for the admin username and password. Fixed. A host that has been previously unenrolled and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. I'd not say "unenrolled" here, unenrolling from IPA disables the host. Reworded. [...] diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), +basic_group.add_option("-k", "--keytab", dest="keytab", sensitive=True, + help="path to backed up keytab from previous enrollment"), The keytab filename is not sensitive. Fixed. I misunderstood what the option stands for. [...] -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: +if options.unattended and (options.password is None and + options.principal is None and + options.keytab is None and + options.prompt_password is False)\ + and not options.on_master: Style issue: Wrap everything in the parentheses instead of using the backslash. Fixed. [...] +if returncode != 0: +root_logger.error("Kerberos authentication failed " + "using keytab: %s" % options.keytab) Fixed. Use a comma instead of the % [...] I'm not a C expert but the ipa-join changes look fine. Thanks for the review, updated patches are attached. Tomas >From 56288351b8ab9dc8b3076a7f4b895601a047eecb Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. https://fedorahosted.org/freeipa/ticket/3374 --- ipa-client/ipa-install/ipa-client-install | 40 +++ ipa-client/ipa-join.c | 14 +++ 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), +basic_group.add_option("-k", "--keytab", dest="keytab", + help="path to backed up keytab from previous enrollment"), basic_group.add_option("-W", dest="prompt_password", action="store_true",
Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
On 03/04/2013 06:27 PM, Tomas Babej wrote: Hi, A host that has been previously unenrolled and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. Thanks! The mechanism works, but see below. This is a RFE so it needs a design document. For context, I'll include your comment from trac: > From my investigation I would conclude that we cannot support client > install using backed-up keytab when the host has been unenrolled > (e.g. after running ipa-client-install --uninstall). When > unenrolling, we disable the host entry in LDAP and therefore > effectively disable the Kerberos key, SSL certificate and all > services of a host. > > We should only support reenrollment for clients that have not been > unenrolled, and therefore still have valid Kerberos key. I think it also makes sense from a security point of view: if the machine is compromised, I'd expect that after unenrolling it can't come back on its own. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. With the patch this only works with --unatended; in interactive mode it still asks for the admin username and password. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. https://fedorahosted.org/freeipa/ticket/3374 Attaching a comparison between host entry states (enrolled using principal and reenrolled using keytab). Tomas freeipa-tbabej-0037-Add-support-for-re-enrolling-hosts-using-keytab.patch From e576009bb7a93daec1cbc4ef94785017f80b2756 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been previously unenrolled and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. I'd not say "unenrolled" here, unenrolling from IPA disables the host. [...] diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), +basic_group.add_option("-k", "--keytab", dest="keytab", sensitive=True, + help="path to backed up keytab from previous enrollment"), The keytab filename is not sensitive. [...] -if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: +if options.unattended and (options.password is None and + options.principal is None and + options.keytab is None and + options.prompt_password is False)\ + and not options.on_master: Style issue: Wrap everything in the parentheses instead of using the backslash. [...] +if returncode != 0: +root_logger.error("Kerberos authentication failed " + "using keytab: %s" % options.keytab) Use a comma instead of the % [...] I'm not a C expert but the ipa-join changes look fine. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel