On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote:
Hello,
Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
Best regards,
Lars
Hello Lars,
thank you for your investigation of the problem and the patch!
I had to refactor the patch a little, your patch updated just the
temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
I also moved DNS update before the certmonger is being configured.
Otherwise certmonger may fail because the client does not have proper
DNS record.
Patch attached.
Martin
From 180b06667b966db7ab79d92fa2ca0fce56efe2c6 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 21 Oct 2011 11:18:26 +0200
Subject: [PATCH] Fix client krb5 domain mapping and DNS
Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.
Based on Lars Sjostrom patch.
https://fedorahosted.org/freeipa/ticket/2006
---
ipa-client/ipa-install/ipa-client-install | 20 +---
1 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 628652efcf2067ec1997a8656d5ff471dc3baa90..2f7f1ff55f455f8750f7e22de5d8973a6a342295 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server):
return
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, client_domain):
krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
krbconf.setOptionAssignment( = )
@@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
#[domain_realm]
dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
{'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+#add client domain mapping if different from server domain
+if cli_domain != client_domain:
+dropts.append({'name':'.'+client_domain, 'type':'option', 'value':cli_realm})
+dropts.append({'name':client_domain, 'type':'option', 'value':cli_realm})
+
opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
opts.append({'name':'empty', 'type':'empty'})
@@ -895,6 +901,8 @@ def install(options, env, fstore, statestore):
cli_domain = ds.getDomainName()
logging.debug(will use domain: %s\n, cli_domain)
+client_domain = hostname[hostname.find(.)+1:]
+
if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
or not ds.getServerName():
logging.debug(IPA Server not found)
@@ -1015,7 +1023,7 @@ def install(options, env, fstore, statestore):
print Unable to sync time with IPA NTP server, assuming the time is in sync.
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, client_domain):
print Test kerberos configuration failed
return CLIENT_INSTALL_ERROR
env['KRB5_CONFIG'] = krb_name
@@ -1115,17 +1123,15 @@ def install(options, env, fstore, statestore):
if not options.on_master:
# Configure krb5.conf
fstore.backup_file(/etc/krb5.conf)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf, client_domain):
return CLIENT_INSTALL_ERROR
print Configured /etc/krb5.conf for IPA realm + cli_realm
-configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-
-#Try to update the DNS records, failure is not fatal
-if not options.on_master:
client_dns(cli_server, hostname, options.dns_updates)
+configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
+
#Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed)
nscd = ipaservices.knownservices.nscd
if nscd.is_installed():
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel