[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

Tomas Babej Mon, 04 Mar 2013 09:28:10 -0800

Hi,

A host that has been previously unenrolled and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.


A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.

A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.

https://fedorahosted.org/freeipa/ticket/3374

Attaching a comparison between host entry states
(enrolled using principal and reenrolled using keytab).

Tomas

>From e576009bb7a93daec1cbc4ef94785017f80b2756 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 26 Feb 2013 13:20:13 +0100
Subject: [PATCH] Add support for re-enrolling hosts using keytab

A host that has been previously unenrolled and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.

A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.

A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.

https://fedorahosted.org/freeipa/ticket/3374
---
 ipa-client/ipa-install/ipa-client-install | 32 +++++++++++++++++++++++++++++--
 ipa-client/ipa-join.c                     | 14 +++++++++-----
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -104,6 +104,8 @@ def parse_options():
                       help="principal to use to join the IPA realm"),
     basic_group.add_option("-w", "--password", dest="password", sensitive=True,
                       help="password to join the IPA realm (assumes bulk password unless principal is also set)"),
+    basic_group.add_option("-k", "--keytab", dest="keytab", sensitive=True,
+                      help="path to backed up keytab from previous enrollment"),
     basic_group.add_option("-W", dest="prompt_password", action="store_true",
                       default=False,
                       help="Prompt for a password to join the IPA realm"),
@@ -1691,7 +1693,11 @@ def install(options, env, fstore, statestore):
         except ipaclient.ntpconf.NTPConfigurationError:
             pass
 
-    if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master:
+    if options.unattended and (options.password is None and
+                               options.principal is None and
+                               options.keytab is None and
+                               options.prompt_password is False)\
+                               and not options.on_master:
         root_logger.error("One of password and principal are required.")
         return CLIENT_INSTALL_ERROR
 
@@ -1985,12 +1991,34 @@ def install(options, env, fstore, statestore):
                         else:
                             stdin = sys.stdin.readline()
 
-                (stderr, stdout, returncode) = run(["kinit", principal], raiseonerr=False, stdin=stdin, env=env)
+                (stderr, stdout, returncode) = run(["kinit", principal],
+                                                    raiseonerr=False,
+                                                    stdin=stdin,
+                                                    env=env)
                 if returncode != 0:
                     root_logger.error("Kerberos authentication failed")
                     root_logger.info("%s", stdout)
                     print_port_conf_info()
                     return CLIENT_INSTALL_ERROR
+            elif options.keytab:
+                join_args.append("-f")
+                if os.path.exists(options.keytab):
+                    (stderr, stdout, returncode) = run(
+                        ['/usr/bin/kinit','-k', '-t', options.keytab,
+                            'host/%s@%s' % (hostname, cli_realm)],
+                        env=env,
+                        raiseonerr=False)
+
+                    if returncode != 0:
+                        root_logger.error("Kerberos authentication failed "
+                                          "using keytab: %s" % options.keytab)
+                        root_logger.info("%s", stdout)
+                        print_port_conf_info()
+                        return CLIENT_INSTALL_ERROR
+                else:
+                    root_logger.error("Keytab file could not be found: %s"
+                                      % options.keytab)
+                    return CLIENT_INSTALL_ERROR
             elif options.password:
                 nolog = (options.password,)
                 join_args.append("-w")
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 8369e360f90dfc4ade1db792745b660da50677ca..df33d3b08cf69a37ae9de76266a071825a95871f 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -558,7 +558,7 @@ done:
 }
 
 static int
-join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int quiet) {
+join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int force, int quiet) {
     xmlrpc_env env;
     xmlrpc_value * argArrayP = NULL;
     xmlrpc_value * paramArrayP = NULL;
@@ -663,7 +663,7 @@ join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **pri
         goto cleanup;
     }
     xmlrpc_struct_find_value(&env, structP, "krblastpwdchange", &krblastpwdchangeP);
-    if (krblastpwdchangeP) {
+    if (krblastpwdchangeP && !force) {
         xmlrpc_value * singleprincP = NULL;
 
         /* FIXME: all values are returned as lists currently. Once this is
@@ -929,7 +929,7 @@ cleanup:
 
 
 static int
-join(const char *server, const char *hostname, const char *bindpw, const char *basedn, const char *keytab, int quiet)
+join(const char *server, const char *hostname, const char *bindpw, const char *basedn, const char *keytab, int force, int quiet)
 {
     int rval = 0;
     pid_t childpid = 0;
@@ -1003,7 +1003,8 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
             rval = 6;
             goto cleanup;
         }
-        rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, quiet);
+        rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, force,
+                         quiet);
     }
 
     if (rval) goto cleanup;
@@ -1100,6 +1101,7 @@ main(int argc, const char **argv) {
     static const char *basedn = NULL;
     int quiet = 0;
     int unenroll = 0;
+    int force = 0;
     struct poptOption options[] = {
         { "debug", 'd', POPT_ARG_NONE, &debug, 0,
           _("Print the raw XML-RPC output in GSSAPI mode"), NULL },
@@ -1113,6 +1115,8 @@ main(int argc, const char **argv) {
           _("IPA Server to use"), _("hostname") },
         { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
           _("Specifies where to store keytab information."), _("filename") },
+        { "force", 'f', POPT_ARG_NONE, &force, 0,
+          _("Force the host join. Rejoin even if already joined."), NULL },
         { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
           _("LDAP password (if not using Kerberos)"), _("password") },
         { "basedn", 'b', POPT_ARG_STRING, &basedn, 0,
@@ -1149,7 +1153,7 @@ main(int argc, const char **argv) {
     } else {
         ret = check_perms(keytab);
         if (ret == 0)
-            ret = join(server, hostname, bindpw, basedn, keytab, quiet);
+            ret = join(server, hostname, bindpw, basedn, keytab, force, quiet);
     }
 
     exit(ret);
-- 
1.7.11.7

  dn: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br     
                    dn: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br
  fqdn: vm-078.example.com                                                      
                          fqdn: vm-078.example.com
  ipasshpubkey: ssh-dss 
AAAAB3NzaC1kc3MAAACBAOTFZwfVABE3UNjNgnSYRAMcfFPm7T/NiZ5z4VbyzrP+NJzjUdd+   |    
  ipasshpubkey: ssh-dss 
AAAAB3NzaC1kc3MAAACBAOz9Jp42qxv3QvV3QoYOeLECuPpsVM1vrL4rS4MbKuSOPa6Nlu2Q
  ipasshpubkey: ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Li43jjUraASij+4jHM9peFF0a0vXBH7252vQELhc   |    
  ipasshpubkey: ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7ifJNlX3upFCzd6Yqmug9wVIswIj7epZyXconay
  has_password: False                                                           
                          has_password: False
  has_keytab: True                                                              
                          has_keytab: True
  subject: CN=vm-078.example.com,O=EXAMPLE.COM                                  
                          subject: CN=vm-078.example.com,O=EXAMPLE.COM
  serial_number: 15                                                             
                   |      serial_number: 16
  serial_number_hex: 0xF                                                        
                   |      serial_number_hex: 0x10
  issuer: CN=Certificate Authority,O=EXAMPLE.COM                                
                          issuer: CN=Certificate Authority,O=EXAMPLE.COM
  valid_not_before: Mon Mar 04 11:11:12 2013 UTC                                
                   |      valid_not_before: Mon Mar 04 11:51:11 2013 UTC
  valid_not_after: Thu Mar 05 11:11:12 2015 UTC                                 
                   |      valid_not_after: Thu Mar 05 11:51:11 2015 UTC
  md5_fingerprint: 27:7e:df:49:1c:8a:9f:d9:ce:86:4a:eb:2b:d9:e3:63              
                   |      md5_fingerprint: 
d7:87:8d:7c:4f:ee:2d:27:c5:91:e5:f3:ab:4e:8c:de
  sha1_fingerprint: 4f:d9:45:d6:75:8b:53:1c:da:df:5c:d7:de:a5:6b:c4:70:14:92:20 
                   |      sha1_fingerprint: 
15:d2:9a:81:78:b2:d7:92:91:45:70:4d:b8:ff:be:95:58:24:db:fe
  sshpubkeyfp: 18:0A:83:16:75:F9:79:3F:AF:F3:01:71:7D:C2:84:0B (ssh-dss)        
                   |      sshpubkeyfp: 
92:31:BD:3E:BF:B2:27:2A:CB:08:16:4F:BB:B8:F7:8A (ssh-dss)
  sshpubkeyfp: 9E:03:F0:A7:D2:B9:11:C6:44:25:40:93:3B:B1:42:33 (ssh-rsa)        
                   |      sshpubkeyfp: 
96:A7:2E:A3:B5:13:76:00:93:0B:0C:3A:72:59:F3:6B (ssh-rsa)
  cn: vm-078.example.com                                                        
                          cn: vm-078.example.com
  enrolledBy: 
uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com     
            enrolledBy: 
uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
  ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a                             
                          ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a
  krbExtraData: 
AAJMgTRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR
   |      krbExtraData: 
AAKrijRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR
  krbLastPwdChange: 20130304111108Z                                             
                   |      krbLastPwdChange: 20130304115107Z
  krbLastSuccessfulAuth: 20130304111115Z                                        
                   |      krbLastSuccessfulAuth: 20130304115114Z
  krbPrincipalName: host/vm-078.example....@example.com                         
                          krbPrincipalName: host/vm-078.example....@example.com
  managedBy: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en            
             managedBy: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en
  managing: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng           
              managing: 
fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng
  objectClass: ipaobject                                                        
                          objectClass: ipaobject
  objectClass: nshost                                                           
                          objectClass: nshost
  objectClass: ipahost                                                          
                          objectClass: ipahost
  objectClass: pkiuser                                                          
                          objectClass: pkiuser
  objectClass: ipaservice                                                       
                          objectClass: ipaservice
  objectClass: krbprincipalaux                                                  
                          objectClass: krbprincipalaux
  objectClass: krbprincipal                                                     
                          objectClass: krbprincipal
  objectClass: ieee802device                                                    
                          objectClass: ieee802device
  objectClass: ipasshhost                                                       
                          objectClass: ipasshhost
  objectClass: top                                                              
                          objectClass: top
  objectClass: ipaSshGroupOfPubKeys                                             
                          objectClass: ipaSshGroupOfPubKeys
  serverHostName: vm-078                                                        
                          serverHostName: vm-078
  userCertificate: 
MIIFHTCCBAWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU   
|      userCertificate: 
MIIFHTCCBAWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

Reply via email to