subject:"\[Freeipa\-devel\] \[PATCH\] 256 Make ipa 2.2 client capable of joining an older server"

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

2012-05-02 Thread Rob Crittenden


Martin Kosek wrote:

On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

Testing instructions included in the ticket.
---
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697


Still working on testing this, just a couple of initial comments.

I'd like to see the second and 3rd exceptions be logged as well as
printed to stderr (this is a common problem in ipa-client-install, we
don't log as much as we should).

Will it be confusing to print the bit about S4U2Proxy? I think
simplyfing as "you are running a new client than the IPA server so some
capabilities may not be available" or something like that.

rob


The attached patch has a better error reporting and logging. I also
added user realm to keytab kinit as you suggested on IRC, it should make
the kinit more bullet-proof.

Martin


ACK, pushed to master and ipa-2-2

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

2012-05-02 Thread Martin Kosek

On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > Testing instructions included in the ticket.
> > ---
> > IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
> > delegation, i.e. ipa command no longer forwards Kerberos TGT to the
> > server during authentication. However, when IPA client of version
> > 2.2 and higher tries to join an older IPA server, the installer
> > crashes because the pre-2.2 server expects the TGT to be forwarded.
> >
> > This patch adds a fallback to ipa-client-install which would detect
> > this situation and tries connecting with TGT forwarding enabled
> > again.
> >
> > https://fedorahosted.org/freeipa/ticket/2697
> 
> Still working on testing this, just a couple of initial comments.
> 
> I'd like to see the second and 3rd exceptions be logged as well as 
> printed to stderr (this is a common problem in ipa-client-install, we 
> don't log as much as we should).
> 
> Will it be confusing to print the bit about S4U2Proxy? I think 
> simplyfing as "you are running a new client than the IPA server so some 
> capabilities may not be available" or something like that.
> 
> rob

The attached patch has a better error reporting and logging. I also
added user realm to keytab kinit as you suggested on IRC, it should make
the kinit more bullet-proof.

Martin
>From efbe40f02f99535d84515dc45c13076cefc18311 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Wed, 2 May 2012 15:36:04 +0200
Subject: [PATCH] Make ipa 2.2 client capable of joining an older server

IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
---
 ipa-client/ipa-install/ipa-client-install |   26 --
 1 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7133cce0457dd4f4a51530337db7e5e3fec829b3..67279b3ed8ae8a25e845ccbcce7143efcaf6d467 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1374,14 +1374,36 @@ def install(options, env, fstore, statestore):
 
 os.environ['KRB5CCNAME'] = CCACHE_FILE
 try:
-ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname])
-api.Backend.xmlclient.connect()
+ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (hostname, cli_realm)])
 except CalledProcessError, e:
 print >>sys.stderr, "Failed to obtain host TGT."
 # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP,
 # abort installation and rollback changes
 return CLIENT_INSTALL_ERROR
 
+# Now, we have a TGT, lets try to connect to the server's XML-RPC interface
+try:
+api.Backend.xmlclient.connect()
+except errors.KerberosError, e:
+root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e))
+root_logger.debug('Trying with delegate=True')
+try:
+api.Backend.xmlclient.connect(delegate=True)
+root_logger.debug('Connection with delegate=True successful')
+
+# The remote server is not capable of Kerberos S4U2Proxy delegation
+# This features is implemented in IPA server version 2.2 and higher
+print >>sys.stderr, "Target IPA server has a lower version that the enrolled client"
+print >>sys.stderr, "Some capabilities including the ipa command capability may not be available"
+except errors.PublicError, e2:
+root_logger.debug('Second connect with delegate=True also failed: %s' % str(e2))
+print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2)
+return CLIENT_INSTALL_ERROR
+except errors.PublicError, e:
+root_logger.debug('Cannot connect to the server due to generic error: %s' % str(e))
+print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e)
+return CLIENT_INSTALL_ERROR
+
 if not options.on_master:
 client_dns(cli_server, hostname, options.dns_updates)
 configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

2012-05-02 Thread Rob Crittenden


Martin Kosek wrote:

Testing instructions included in the ticket.
---
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697


Still working on testing this, just a couple of initial comments.

I'd like to see the second and 3rd exceptions be logged as well as 
printed to stderr (this is a common problem in ipa-client-install, we 
don't log as much as we should).


Will it be confusing to print the bit about S4U2Proxy? I think 
simplyfing as "you are running a new client than the IPA server so some 
capabilities may not be available" or something like that.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

2012-05-02 Thread Martin Kosek

Testing instructions included in the ticket.
---
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697

>From 9d91bba05b4279c3b975d34db87cf8fd68bc2228 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Wed, 2 May 2012 15:36:04 +0200
Subject: [PATCH] Make ipa 2.2 client capable of joining an older server

IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again.

https://fedorahosted.org/freeipa/ticket/2697
---
 ipa-client/ipa-install/ipa-client-install |   21 -
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7133cce0457dd4f4a51530337db7e5e3fec829b3..16106a50c3124612f051cc9e9a37a1c1200377eb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1375,13 +1375,32 @@ def install(options, env, fstore, statestore):
 os.environ['KRB5CCNAME'] = CCACHE_FILE
 try:
 ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname])
-api.Backend.xmlclient.connect()
 except CalledProcessError, e:
 print >>sys.stderr, "Failed to obtain host TGT."
 # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP,
 # abort installation and rollback changes
 return CLIENT_INSTALL_ERROR
 
+# Now, we have a TGT, lets try to connect to the server's XML-RPC interface
+try:
+api.Backend.xmlclient.connect()
+except errors.KerberosError, e:
+root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e))
+root_logger.debug('Trying with delegate=True')
+try:
+api.Backend.xmlclient.connect(delegate=True)
+
+# The remote server is not capable of Kerberos S4U2Proxy delegation
+# This features is implemented in IPA server version 2.2 and higher
+print >>sys.stderr, "Server does not support Kerberos S4U2Proxy delegation"
+print >>sys.stderr, "ipa command needs to use --delegate to connect to the server"
+except errors.PublicError, e2:
+print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2)
+return CLIENT_INSTALL_ERROR
+except errors.PublicError, e:
+print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e)
+return CLIENT_INSTALL_ERROR
+
 if not options.on_master:
 client_dns(cli_server, hostname, options.dns_updates)
 configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server

4 matches

Site Navigation

Mail list logo

Footer information