Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
Martin Kosek wrote: On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote: Nalin Dahyabhai wrote: On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. [snip] @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): return (stdout, stderr, returncode) +def _find_ipa_submit_ca(): +""" +Look through all the certmonger CA files to find the one that +defines ipa-submit as the ca_external_helper. + +We can use find_request_value because the ca files have the +same file format. +""" +fileList=os.listdir(CA_DIR) +for file in fileList: +value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') +if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): +return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin Good idea, switched to use id=IPA instead. rob ACK, nice work. Tested with ticket 748. Everything worked with both --hostname set and without it, uninstallation was also correct. I just run into an issue (not patch related) when certmonger kept showing me CA_UNCONFIGURED certificate tracking status. As we found out, this was caused by SELinux. However, new SElinux policy selinux-policy-3.9.7-33.fc14 should fix it. Martin I need to do some further investigation to see how this affects other distros, we may need to update the low-bar for selinux policy in our spec file. I'll open a new ticket for that. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote: > Nalin Dahyabhai wrote: > > On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: > >> If a hostname was provided it wasn't used to configure either > >> certmonger or sssd. This resulted in a non-working configuration. > > [snip] > >> @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, > >> nickname=None): > >> > >> return (stdout, stderr, returncode) > >> > >> +def _find_ipa_submit_ca(): > >> +""" > >> +Look through all the certmonger CA files to find the one that > >> +defines ipa-submit as the ca_external_helper. > >> + > >> +We can use find_request_value because the ca files have the > >> +same file format. > >> +""" > >> +fileList=os.listdir(CA_DIR) > >> +for file in fileList: > >> +value = find_request_value('%s/%s' % (CA_DIR, file), > >> 'ca_external_helper') > >> +if value is not None and > >> value.startswith('/usr/libexec/certmonger/ipa-submit'): > >> +return '%s/%s' % (CA_DIR, file) > > > > This should work, but could I get you to change the test here to look > > for "id=IPA" instead of > > "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? > > > > The "ipa-getcert" command-line tool is hard-coded to ask certmonger to > > use the CA with an "id" of "IPA", and that's how certmonger figures out > > which file's settings to use. > > > > I can imagine having another CA configuration for certmonger on the > > system that told it to call its ipa-submit helper with a different set > > of arguments. In that setup, the one with "id=IPA" would still be the > > one that certmonger would use on behalf of ipa-getcert. (I don't have a > > good idea of _why_ someone would do that, but there you go.) > > > > Cheers, > > > > Nalin > > Good idea, switched to use id=IPA instead. > > rob ACK, nice work. Tested with ticket 748. Everything worked with both --hostname set and without it, uninstallation was also correct. I just run into an issue (not patch related) when certmonger kept showing me CA_UNCONFIGURED certificate tracking status. As we found out, this was caused by SELinux. However, new SElinux policy selinux-policy-3.9.7-33.fc14 should fix it. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
Nalin Dahyabhai wrote: On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. [snip] @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): return (stdout, stderr, returncode) +def _find_ipa_submit_ca(): +""" +Look through all the certmonger CA files to find the one that +defines ipa-submit as the ca_external_helper. + +We can use find_request_value because the ca files have the +same file format. +""" +fileList=os.listdir(CA_DIR) +for file in fileList: +value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') +if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): +return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin Good idea, switched to use id=IPA instead. rob freeipa-rcrit-749-2-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: > If a hostname was provided it wasn't used to configure either > certmonger or sssd. This resulted in a non-working configuration. [snip] > @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, > nickname=None): > > return (stdout, stderr, returncode) > >+def _find_ipa_submit_ca(): >+""" >+Look through all the certmonger CA files to find the one that >+defines ipa-submit as the ca_external_helper. >+ >+We can use find_request_value because the ca files have the >+same file format. >+""" >+fileList=os.listdir(CA_DIR) >+for file in fileList: >+value = find_request_value('%s/%s' % (CA_DIR, file), >'ca_external_helper') >+if value is not None and >value.startswith('/usr/libexec/certmonger/ipa-submit'): >+return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029 To test do something like: # ipa-client-install --hostname some_other_host.example.com # ipa-getcert list # id admin If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf. The certificate in ipa-getcert should be MONITORING. Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True Now run: ipa-client-install --uninstall The host entry on the server should have Keytab: False ipa-getcert list should return nothing (you'll need to start the certmonger service to see it) rob freeipa-rcrit-749-hostname.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel