Jan Cholasta wrote:
Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
On 09/12/2012 01:20 PM, Petr Viktorin wrote:
On 09/11/2012 10:39 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client
yet.
This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.
To reproduce:
- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
done
ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
ipa dnsrecord-find $DOMAIN # check
- Sever communication between the hosts to disable replication:
(on master)
iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client
This will fail without the patch.
Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.
https://fedorahosted.org/freeipa/ticket/2982
ACK, pushed to master and ipa-3-0
rob
The patch broke server installs. Please revert it if you're having
trouble while I look into it.
I messed up and removed the kinit call entirely when installing on
master. Attaching a fix.
Works for me, ACK.
Honza
pushed to master and ipa-3-0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
