Re: [Freeipa-devel] [PATCH] 388-389 Improve client install LDAP cert retrieval fallback

[Martin Kosek]

On 03/19/2013 03:42 PM, Tomas Babej wrote:
 On 03/14/2013 02:41 PM, Martin Kosek wrote:
 [freeipa-mkosek-388-use-temporary-ccache-in-ipa-client-install.patch]:

 ipa-client-install failed if user had set his own KRB5CCNAME in his
 environment. Use a temporary CCACHE for the installer to avoid these
 kind of errors.

 [freeipa-mkosek-389-improve-client-install-ldap-cert-retrieval-fallback.patch]:

 CA certificate retrieval function did not fallback from LDAP to
 HTTP based retrieval in case of an LDAP error, when for example
 GSSAPI authentication failed.

 -

 Sending Fedora 18 client installation fixes  as per
 https://bugzilla.redhat.com/show_bug.cgi?id=920716#c10

 Martin

 Fixes the issue just fine. Ack.
 
 Just a nitpick, only patch 389 is linked in Trac.
 I uploaded the second part as well, for consistency's sake.
 
 Tomas

Pushed to master, ipa-3-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 388-389 Improve client install LDAP cert retrieval fallback

[Tomas Babej]

On 03/14/2013 02:41 PM, Martin Kosek wrote:

[freeipa-mkosek-388-use-temporary-ccache-in-ipa-client-install.patch]:

ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.

[freeipa-mkosek-389-improve-client-install-ldap-cert-retrieval-fallback.patch]:

CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.

-

Sending Fedora 18 client installation fixes  as per
https://bugzilla.redhat.com/show_bug.cgi?id=920716#c10

Martin


Fixes the issue just fine. Ack.

Just a nitpick, only patch 389 is linked in Trac.
I uploaded the second part as well, for consistency's sake.

Tomas

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 388-389 Improve client install LDAP cert retrieval fallback

[Martin Kosek]

[freeipa-mkosek-388-use-temporary-ccache-in-ipa-client-install.patch]:

ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.

[freeipa-mkosek-389-improve-client-install-ldap-cert-retrieval-fallback.patch]:

CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.

-

Sending Fedora 18 client installation fixes  as per
https://bugzilla.redhat.com/show_bug.cgi?id=920716#c10

Martin
From d837418d9424938823a9793ce72de742967bbfd5 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 14 Mar 2013 14:33:56 +0100
Subject: [PATCH 1/2] Use temporary CCACHE in ipa-client-install

ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.

https://fedorahosted.org/freeipa/ticket/3512
---
 ipa-client/ipa-install/ipa-client-install | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index d9e1b7e786466ba11fb8fd1d00a72904dfcc0005..fc8b6c85598a6d5b8d7ff3d53dd4db6d9b001b51 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1979,6 +1979,9 @@ def install(options, env, fstore, statestore):
 root_logger.error(Test kerberos configuration failed)
 return CLIENT_INSTALL_ERROR
 env['KRB5_CONFIG'] = krb_name
+(ccache_fd, ccache_name) = tempfile.mkstemp()
+os.close(ccache_fd)
+env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
 join_args = [/usr/sbin/ipa-join, -s, cli_server[0], -b, str(realm_to_suffix(cli_realm))]
 if options.debug:
 join_args.append(-d)
@@ -2114,6 +2117,10 @@ def install(options, env, fstore, statestore):
 except OSError:
 root_logger.error(Could not remove %s, krb_name)
 try:
+os.remove(ccache_name)
+except OSError:
+pass
+try:
 os.remove(krb_name + .ipabkp)
 except OSError:
 root_logger.error(Could not remove %s.ipabkp, krb_name)
-- 
1.8.1.4

From 429b5390e1e75be400ccb7aaa3e2ed4b72b359e2 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 14 Mar 2013 14:36:39 +0100
Subject: [PATCH 2/2] Improve client install LDAP cert retrieval fallback

CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.

https://fedorahosted.org/freeipa/ticket/3512
---
 ipa-client/ipa-install/ipa-client-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index fc8b6c85598a6d5b8d7ff3d53dd4db6d9b001b51..f1b2c1887a1f393c4ac6ca004deee80ff52b2ca7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1624,7 +1624,7 @@ def get_ca_cert(fstore, options, server, basedn):
 except Exception, e:
 os.unlink(ca_file)
 raise
-except errors.NoCertificateError, e:
+except (errors.NoCertificateError, errors.LDAPError), e:
 root_logger.debug(str(e))
 url = http_url()
 if existing_ca_cert:
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel