On 09/12/2012 02:58 PM, Jan Cholasta wrote: > Dne 12.9.2012 14:09, Petr Viktorin napsal(a): >> On 09/12/2012 01:20 PM, Petr Viktorin wrote: >>> On 09/11/2012 10:39 PM, Rob Crittenden wrote: >>>> Petr Viktorin wrote: >>>>> When installing the client, we need to take extra case to only contact >>>>> the one server we're installing against. Otherwise, in the real world, >>>>> we might hit a server that hasn't replicated info about the client yet. >>>>> >>>>> This patch fixes a bug where kinit attempted to contact a KDC that >>>>> didn't have the host principal yet. >>>>> >>>>> >>>>> To reproduce: >>>>> >>>>> - Install a "master" and "replica" >>>>> - Change the Kerberos DNS entries to only point to the replica: >>>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' >>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do >>>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88 >>>>> $REPLICA_HOSTNAME" >>>>> done >>>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389 >>>>> $MASTER_HOSTNAME" >>>>> ipa dnsrecord-find $DOMAIN # check >>>>> - Sever communication between the hosts to disable replication: >>>>> (on master) >>>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP >>>>> - On client machine, put master as nameserver in /etc/resolv.conf & >>>>> install client >>>>> >>>>> This will fail without the patch. >>>>> >>>>> >>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and >>>>> explain the bug. I learned a lot. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2982 >>>> >>>> ACK, pushed to master and ipa-3-0 >>>> >>>> rob >>>> >>> >>> The patch broke server installs. Please revert it if you're having >>> trouble while I look into it. >>> >>> >> >> I messed up and removed the kinit call entirely when installing on >> master. Attaching a fix. >> > > Works for me, ACK. > > Honza >
When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com Valid starting Expires Service principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat....@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat....@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel