Re: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
On 23.06.2016 12:29, Jan Cholasta wrote: On 23.6.2016 12:24, Martin Basti wrote: On 23.06.2016 08:52, Stanislav Laznicka wrote: On 06/23/2016 08:09 AM, Jan Cholasta wrote: On 22.6.2016 16:22, Stanislav Laznicka wrote: Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False You're right, the commit message was rather generic. Hopefully this new one will be better. Works for me, if Honza agree this can be pushed. Okay. Pushed to master: 0db48e4d04b3b8377667b388b88f2fe9f57bf4a3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
On 23.6.2016 12:24, Martin Basti wrote: On 23.06.2016 08:52, Stanislav Laznicka wrote: On 06/23/2016 08:09 AM, Jan Cholasta wrote: On 22.6.2016 16:22, Stanislav Laznicka wrote: Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False You're right, the commit message was rather generic. Hopefully this new one will be better. Works for me, if Honza agree this can be pushed. Okay. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
On 23.06.2016 08:52, Stanislav Laznicka wrote: On 06/23/2016 08:09 AM, Jan Cholasta wrote: On 22.6.2016 16:22, Stanislav Laznicka wrote: Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False You're right, the commit message was rather generic. Hopefully this new one will be better. Works for me, if Honza agree this can be pushed. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
On 06/23/2016 08:09 AM, Jan Cholasta wrote: On 22.6.2016 16:22, Stanislav Laznicka wrote: Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False You're right, the commit message was rather generic. Hopefully this new one will be better. From 010b809a0e940dc25af9f531b60b5b72d1a48b79 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Jun 2016 16:08:49 +0200 Subject: [PATCH] Fix to ipa-ca-install asking for host principal password With a ca_cert_file specified in options, the nss_db was used before the certificates from the file were added to it, which caused an exception that led to fallback to ssh which is broken. https://fedorahosted.org/freeipa/ticket/5965 --- install/tools/ipa-replica-conncheck | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 991f4e429dd1df7036b4a1c0175ca5daaea521ad..e308b118f20306107bc62eba2a60187fbc52f4fc 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -462,10 +462,6 @@ def main(): nss_dir = paths.IPA_NSSDB_DIR with certdb.NSSDatabase(nss_dir) as nss_db: -api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri, - nss_dir=nss_db.secdir) -api.finalize() - if options.ca_cert_file: nss_dir = nss_db.secdir @@ -483,6 +479,9 @@ def main(): else: nss_dir = None +api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri, + nss_dir=nss_db.secdir) +api.finalize() try: api.Backend.rpcclient.connect() api.Command.ping() -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
On 22.6.2016 16:22, Stanislav Laznicka wrote: Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install
Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. The fact is that should rpcclient connection fail for some other reason and the control would fall back to SSH, this will still be broken and needs fixing. I will create a ticket for that. Standa From 66e49904f7901fbfebcbd1a8b9f397667e89c60b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Jun 2016 16:08:49 +0200 Subject: [PATCH] Fix to ipa-ca-install asking for host principal password The nss_db variable didn't go through the proper initialization https://fedorahosted.org/freeipa/ticket/5965 --- install/tools/ipa-replica-conncheck | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 991f4e429dd1df7036b4a1c0175ca5daaea521ad..e308b118f20306107bc62eba2a60187fbc52f4fc 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -462,10 +462,6 @@ def main(): nss_dir = paths.IPA_NSSDB_DIR with certdb.NSSDatabase(nss_dir) as nss_db: -api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri, - nss_dir=nss_db.secdir) -api.finalize() - if options.ca_cert_file: nss_dir = nss_db.secdir @@ -483,6 +479,9 @@ def main(): else: nss_dir = None +api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri, + nss_dir=nss_db.secdir) +api.finalize() try: api.Backend.rpcclient.connect() api.Command.ping() -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code