Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Martin Kosek wrote: On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote: Martin Kosek wrote: Testing instructions included in the ticket. --- IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. https://fedorahosted.org/freeipa/ticket/2697 Still working on testing this, just a couple of initial comments. I'd like to see the second and 3rd exceptions be logged as well as printed to stderr (this is a common problem in ipa-client-install, we don't log as much as we should). Will it be confusing to print the bit about S4U2Proxy? I think simplyfing as "you are running a new client than the IPA server so some capabilities may not be available" or something like that. rob The attached patch has a better error reporting and logging. I also added user realm to keytab kinit as you suggested on IRC, it should make the kinit more bullet-proof. Martin ACK, pushed to master and ipa-2-2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Testing instructions included in the ticket. > > --- > > IPA server of version 2.2 and higher supports Kerberos S4U2Proxy > > delegation, i.e. ipa command no longer forwards Kerberos TGT to the > > server during authentication. However, when IPA client of version > > 2.2 and higher tries to join an older IPA server, the installer > > crashes because the pre-2.2 server expects the TGT to be forwarded. > > > > This patch adds a fallback to ipa-client-install which would detect > > this situation and tries connecting with TGT forwarding enabled > > again. > > > > https://fedorahosted.org/freeipa/ticket/2697 > > Still working on testing this, just a couple of initial comments. > > I'd like to see the second and 3rd exceptions be logged as well as > printed to stderr (this is a common problem in ipa-client-install, we > don't log as much as we should). > > Will it be confusing to print the bit about S4U2Proxy? I think > simplyfing as "you are running a new client than the IPA server so some > capabilities may not be available" or something like that. > > rob The attached patch has a better error reporting and logging. I also added user realm to keytab kinit as you suggested on IRC, it should make the kinit more bullet-proof. Martin >From efbe40f02f99535d84515dc45c13076cefc18311 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 2 May 2012 15:36:04 +0200 Subject: [PATCH] Make ipa 2.2 client capable of joining an older server IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697 --- ipa-client/ipa-install/ipa-client-install | 26 -- 1 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7133cce0457dd4f4a51530337db7e5e3fec829b3..67279b3ed8ae8a25e845ccbcce7143efcaf6d467 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1374,14 +1374,36 @@ def install(options, env, fstore, statestore): os.environ['KRB5CCNAME'] = CCACHE_FILE try: -ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname]) -api.Backend.xmlclient.connect() +ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (hostname, cli_realm)]) except CalledProcessError, e: print >>sys.stderr, "Failed to obtain host TGT." # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP, # abort installation and rollback changes return CLIENT_INSTALL_ERROR +# Now, we have a TGT, lets try to connect to the server's XML-RPC interface +try: +api.Backend.xmlclient.connect() +except errors.KerberosError, e: +root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e)) +root_logger.debug('Trying with delegate=True') +try: +api.Backend.xmlclient.connect(delegate=True) +root_logger.debug('Connection with delegate=True successful') + +# The remote server is not capable of Kerberos S4U2Proxy delegation +# This features is implemented in IPA server version 2.2 and higher +print >>sys.stderr, "Target IPA server has a lower version that the enrolled client" +print >>sys.stderr, "Some capabilities including the ipa command capability may not be available" +except errors.PublicError, e2: +root_logger.debug('Second connect with delegate=True also failed: %s' % str(e2)) +print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2) +return CLIENT_INSTALL_ERROR +except errors.PublicError, e: +root_logger.debug('Cannot connect to the server due to generic error: %s' % str(e)) +print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e) +return CLIENT_INSTALL_ERROR + if not options.on_master: client_dns(cli_server, hostname, options.dns_updates) configure_certmonger(fstore, subject_base, cli_realm, hostname, options) -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Martin Kosek wrote: Testing instructions included in the ticket. --- IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. https://fedorahosted.org/freeipa/ticket/2697 Still working on testing this, just a couple of initial comments. I'd like to see the second and 3rd exceptions be logged as well as printed to stderr (this is a common problem in ipa-client-install, we don't log as much as we should). Will it be confusing to print the bit about S4U2Proxy? I think simplyfing as "you are running a new client than the IPA server so some capabilities may not be available" or something like that. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Testing instructions included in the ticket. --- IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. https://fedorahosted.org/freeipa/ticket/2697 >From 9d91bba05b4279c3b975d34db87cf8fd68bc2228 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 2 May 2012 15:36:04 +0200 Subject: [PATCH] Make ipa 2.2 client capable of joining an older server IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. https://fedorahosted.org/freeipa/ticket/2697 --- ipa-client/ipa-install/ipa-client-install | 21 - 1 files changed, 20 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7133cce0457dd4f4a51530337db7e5e3fec829b3..16106a50c3124612f051cc9e9a37a1c1200377eb 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1375,13 +1375,32 @@ def install(options, env, fstore, statestore): os.environ['KRB5CCNAME'] = CCACHE_FILE try: ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname]) -api.Backend.xmlclient.connect() except CalledProcessError, e: print >>sys.stderr, "Failed to obtain host TGT." # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP, # abort installation and rollback changes return CLIENT_INSTALL_ERROR +# Now, we have a TGT, lets try to connect to the server's XML-RPC interface +try: +api.Backend.xmlclient.connect() +except errors.KerberosError, e: +root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e)) +root_logger.debug('Trying with delegate=True') +try: +api.Backend.xmlclient.connect(delegate=True) + +# The remote server is not capable of Kerberos S4U2Proxy delegation +# This features is implemented in IPA server version 2.2 and higher +print >>sys.stderr, "Server does not support Kerberos S4U2Proxy delegation" +print >>sys.stderr, "ipa command needs to use --delegate to connect to the server" +except errors.PublicError, e2: +print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2) +return CLIENT_INSTALL_ERROR +except errors.PublicError, e: +print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e) +return CLIENT_INSTALL_ERROR + if not options.on_master: client_dns(cli_server, hostname, options.dns_updates) configure_certmonger(fstore, subject_base, cli_realm, hostname, options) -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel