Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
On 03/22/2013 06:17 PM, Tomas Babej wrote: > On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 03/18/2013 02:49 PM, Tomas Babej wrote: On 03/18/2013 02:46 PM, Tomas Babej wrote: > Hi, > > A new option --force-join has been added to ipa-client-install. > It forces the host enrollment even if the host entry exists. > Old certificate is revoked, new certificate and ssh key pair > generated. See the relevant design for the re-enrollment part: > http://freeipa.org/page/V3/Client_install_using_keytab >>> >>> --force-join is not mentioned there. Since you're adding a new option, >>> you need to document it. >> >> What is the difference between force-join and force? All force does is >> let the install continue if the join fails, so if we're forcing join >> to succeed too... >> > > There's more of different behaviour in ipa-client-install with --force option: > - in case of install error, changes are not rolled back > - in unattended mode, using --force allows to retrieve the CA cert using HTTP > - Kerberos and LDAP settings are forced > > I'm not against merging the options, It just seemed to me as though they > provide > support for slightly different use cases. > > Though, man page for ipa-client-install says about --force option the > following: > "Force the settings even if errors occur". > That's true, I think that host reenrollment is quite specific action that deserves special force flag. Additionally, people reenrolling a client may not want the changes above. Thus, I am also for special force flag for this operation. Since Petr already checked the patch works, I am giving second ACK. Pushed to master (as agreed with Tomas, I just updated link to wiki page in commit message). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote: Petr Viktorin wrote: On 03/18/2013 02:49 PM, Tomas Babej wrote: On 03/18/2013 02:46 PM, Tomas Babej wrote: Hi, A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab --force-join is not mentioned there. Since you're adding a new option, you need to document it. What is the difference between force-join and force? All force does is let the install continue if the join fails, so if we're forcing join to succeed too... There's more of different behaviour in ipa-client-install with --force option: - in case of install error, changes are not rolled back - in unattended mode, using --force allows to retrieve the CA cert using HTTP - Kerberos and LDAP settings are forced I'm not against merging the options, It just seemed to me as though they provide support for slightly different use cases. Though, man page for ipa-client-install says about --force option the following: "Force the settings even if errors occur". https://fedorahosted.org/freeipa/ticket/3482 Tomas A-and the patch itself. The patch itself works fine. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
Petr Viktorin wrote: On 03/18/2013 02:49 PM, Tomas Babej wrote: On 03/18/2013 02:46 PM, Tomas Babej wrote: Hi, A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab --force-join is not mentioned there. Since you're adding a new option, you need to document it. What is the difference between force-join and force? All force does is let the install continue if the join fails, so if we're forcing join to succeed too... https://fedorahosted.org/freeipa/ticket/3482 Tomas A-and the patch itself. The patch itself works fine. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
On 03/18/2013 02:49 PM, Tomas Babej wrote: On 03/18/2013 02:46 PM, Tomas Babej wrote: Hi, A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab --force-join is not mentioned there. Since you're adding a new option, you need to document it. https://fedorahosted.org/freeipa/ticket/3482 Tomas A-and the patch itself. The patch itself works fine. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
On 03/18/2013 02:46 PM, Tomas Babej wrote: Hi, A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3482 Tomas A-and the patch itself. Tomas >From 559bbeb362dc984d95b7503b7eaaebbb4b13fb5f Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 18 Mar 2013 11:06:22 +0100 Subject: [PATCH] Allow host re-enrollment using delegation A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3482 --- ipa-client/ipa-install/ipa-client-install | 5 + ipa-client/man/ipa-client-install.1 | 5 - 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index d9e1b7e786466ba11fb8fd1d00a72904dfcc0005..0239dc8463aae46eb5ffb92988808733779e3461 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -111,6 +111,9 @@ def parse_options(): help="The hostname of this machine (FQDN). If specified, the hostname will be set and " "the system configuration will be updated to persist over reboot. " "By default a nodename result from uname(2) is used.") +basic_group.add_option("", "--force-join", dest="force_join", + action="store_true", default=False, + help="Force client enrollment even if already enrolled") basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") basic_group.add_option("-N", "--no-ntp", action="store_false", help="do not configure ntp", default=True, dest="conf_ntp") @@ -1986,6 +1989,8 @@ def install(options, env, fstore, statestore): if options.hostname: join_args.append("-h") join_args.append(options.hostname) +if options.force_join: +join_args.append("-f") if options.principal is not None: stdin = None principal = options.principal diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 8a77a113a58556c39f401f9079cff35d273c1e4a..d98318eeda1d6b60d4a6bcb1321db03bfabe15a8 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -77,7 +77,7 @@ Password for joining a machine to the IPA realm. Assumes bulk password unless pr Prompt for the password for joining a machine to the IPA realm. .TP \fB\-k\fR, \fB\-\-keytab\fR -Path to backed up host keytab from previous enrollment. +Path to backed up host keytab from previous enrollment. Joins the host even if it is already enrolled. .TP \fB\-\-mkhomedir\fR Configure PAM to create a users home directory if it does not exist. @@ -85,6 +85,9 @@ Configure PAM to create a users home directory if it does not exist. \fB\-\-hostname\fR The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used. .TP +\fB\-\-force\-join\fR +Join the host even if it is already enrolled. +.TP \fB\-\-ntp\-server\fR=\fINTP_SERVER\fR Configure ntpd to use this NTP server. .TP -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel