subject:"Re\: \[Freeipa\-devel\] \[PATCH\] Add kerberos mapping for clients outside the IPA domain"

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

2011-10-21 Thread Martin Kosek

On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote:
 Hello,
 
 Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
 
 Best regards,
 Lars

Hello Lars,

thank you for your investigation of the problem and the patch!

I had to refactor the patch a little, your patch updated just the
temporary krb5.conf, not the one put permanently to /etc/krb5.conf.

I also moved DNS update before the certmonger is being configured.
Otherwise certmonger may fail because the client does not have proper
DNS record.

Patch attached.

Martin
From 180b06667b966db7ab79d92fa2ca0fce56efe2c6 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 21 Oct 2011 11:18:26 +0200
Subject: [PATCH] Fix client krb5 domain mapping and DNS

Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.

Based on Lars Sjostrom patch.

https://fedorahosted.org/freeipa/ticket/2006
---
 ipa-client/ipa-install/ipa-client-install |   20 +---
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 628652efcf2067ec1997a8656d5ff471dc3baa90..2f7f1ff55f455f8750f7e22de5d8973a6a342295 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server):
 
 return
 
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, client_domain):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
 krbconf.setOptionAssignment( = )
@@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
 #[domain_realm]
 dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
   {'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+#add client domain mapping if different from server domain
+if cli_domain != client_domain:
+dropts.append({'name':'.'+client_domain, 'type':'option', 'value':cli_realm})
+dropts.append({'name':client_domain, 'type':'option', 'value':cli_realm})
+
 opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
 opts.append({'name':'empty', 'type':'empty'})
 
@@ -895,6 +901,8 @@ def install(options, env, fstore, statestore):
 cli_domain = ds.getDomainName()
 logging.debug(will use domain: %s\n, cli_domain)
 
+client_domain = hostname[hostname.find(.)+1:]
+
 if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
 or not ds.getServerName():
 logging.debug(IPA Server not found)
@@ -1015,7 +1023,7 @@ def install(options, env, fstore, statestore):
 print Unable to sync time with IPA NTP server, assuming the time is in sync.
 (krb_fd, krb_name) = tempfile.mkstemp()
 os.close(krb_fd)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, client_domain):
 print Test kerberos configuration failed
 return CLIENT_INSTALL_ERROR
 env['KRB5_CONFIG'] = krb_name
@@ -1115,17 +1123,15 @@ def install(options, env, fstore, statestore):
 if not options.on_master:
 # Configure krb5.conf
 fstore.backup_file(/etc/krb5.conf)
-if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf):
+if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf, client_domain):
 return CLIENT_INSTALL_ERROR
 
 print Configured /etc/krb5.conf for IPA realm  + cli_realm
 
-configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-
-#Try to update the DNS records, failure is not fatal
-if not options.on_master:
 client_dns(cli_server, hostname, options.dns_updates)
 
+configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
+
 #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed)
 nscd = ipaservices.knownservices.nscd
 if nscd.is_installed():
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

2011-10-21 Thread Alexander Bokovoy

On Fri, 21 Oct 2011, Martin Kosek wrote:
 On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote:
  Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
 thank you for your investigation of the problem and the patch!
 
 I had to refactor the patch a little, your patch updated just the
 temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
 
 I also moved DNS update before the certmonger is being configured.
 Otherwise certmonger may fail because the client does not have proper
 DNS record.
 
 Patch attached.
ACK. It took me a while but hostname is ensured to be FQDN by the 
point we do that dangerous hostname[where is the dot+1:] operation. :)

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

2011-10-21 Thread Martin Kosek

Hello Lars,

that's the plan.

I pushed the patch to master, ipa-2-1 and set up flags for the BZ so
that we can get it to Snapshot 4.

Martin

On Fri, 2011-10-21 at 13:57 +0200, Lars Sjöström wrote:
 Excellent! Thanks guys! Still a chance that this can be backported
 into rhel6.2 release?
 
 Best regards,
 Lars
 
 2011/10/21 Alexander Bokovoy aboko...@redhat.com:
  On Fri, 21 Oct 2011, Martin Kosek wrote:
  On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote:
   Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
  thank you for your investigation of the problem and the patch!
 
  I had to refactor the patch a little, your patch updated just the
  temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
 
  I also moved DNS update before the certmonger is being configured.
  Otherwise certmonger may fail because the client does not have proper
  DNS record.
 
  Patch attached.
  ACK. It took me a while but hostname is ensured to be FQDN by the
  point we do that dangerous hostname[where is the dot+1:] operation. :)
 
  --
  / Alexander Bokovoy
 
 
 
 


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

3 matches

Site Navigation

Mail list logo

Footer information