Hi, A host that has been previously unenrolled and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file.
A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. https://fedorahosted.org/freeipa/ticket/3374 Attaching a comparison between host entry states (enrolled using principal and reenrolled using keytab). Tomas
>From e576009bb7a93daec1cbc4ef94785017f80b2756 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Tue, 26 Feb 2013 13:20:13 +0100 Subject: [PATCH] Add support for re-enrolling hosts using keytab A host that has been previously unenrolled and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. https://fedorahosted.org/freeipa/ticket/3374 --- ipa-client/ipa-install/ipa-client-install | 32 +++++++++++++++++++++++++++++-- ipa-client/ipa-join.c | 14 +++++++++----- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -104,6 +104,8 @@ def parse_options(): help="principal to use to join the IPA realm"), basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), + basic_group.add_option("-k", "--keytab", dest="keytab", sensitive=True, + help="path to backed up keytab from previous enrollment"), basic_group.add_option("-W", dest="prompt_password", action="store_true", default=False, help="Prompt for a password to join the IPA realm"), @@ -1691,7 +1693,11 @@ def install(options, env, fstore, statestore): except ipaclient.ntpconf.NTPConfigurationError: pass - if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: + if options.unattended and (options.password is None and + options.principal is None and + options.keytab is None and + options.prompt_password is False)\ + and not options.on_master: root_logger.error("One of password and principal are required.") return CLIENT_INSTALL_ERROR @@ -1985,12 +1991,34 @@ def install(options, env, fstore, statestore): else: stdin = sys.stdin.readline() - (stderr, stdout, returncode) = run(["kinit", principal], raiseonerr=False, stdin=stdin, env=env) + (stderr, stdout, returncode) = run(["kinit", principal], + raiseonerr=False, + stdin=stdin, + env=env) if returncode != 0: root_logger.error("Kerberos authentication failed") root_logger.info("%s", stdout) print_port_conf_info() return CLIENT_INSTALL_ERROR + elif options.keytab: + join_args.append("-f") + if os.path.exists(options.keytab): + (stderr, stdout, returncode) = run( + ['/usr/bin/kinit','-k', '-t', options.keytab, + 'host/%s@%s' % (hostname, cli_realm)], + env=env, + raiseonerr=False) + + if returncode != 0: + root_logger.error("Kerberos authentication failed " + "using keytab: %s" % options.keytab) + root_logger.info("%s", stdout) + print_port_conf_info() + return CLIENT_INSTALL_ERROR + else: + root_logger.error("Keytab file could not be found: %s" + % options.keytab) + return CLIENT_INSTALL_ERROR elif options.password: nolog = (options.password,) join_args.append("-w") diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 8369e360f90dfc4ade1db792745b660da50677ca..df33d3b08cf69a37ae9de76266a071825a95871f 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -558,7 +558,7 @@ done: } static int -join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int quiet) { +join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int force, int quiet) { xmlrpc_env env; xmlrpc_value * argArrayP = NULL; xmlrpc_value * paramArrayP = NULL; @@ -663,7 +663,7 @@ join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **pri goto cleanup; } xmlrpc_struct_find_value(&env, structP, "krblastpwdchange", &krblastpwdchangeP); - if (krblastpwdchangeP) { + if (krblastpwdchangeP && !force) { xmlrpc_value * singleprincP = NULL; /* FIXME: all values are returned as lists currently. Once this is @@ -929,7 +929,7 @@ cleanup: static int -join(const char *server, const char *hostname, const char *bindpw, const char *basedn, const char *keytab, int quiet) +join(const char *server, const char *hostname, const char *bindpw, const char *basedn, const char *keytab, int force, int quiet) { int rval = 0; pid_t childpid = 0; @@ -1003,7 +1003,8 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b rval = 6; goto cleanup; } - rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, quiet); + rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, force, + quiet); } if (rval) goto cleanup; @@ -1100,6 +1101,7 @@ main(int argc, const char **argv) { static const char *basedn = NULL; int quiet = 0; int unenroll = 0; + int force = 0; struct poptOption options[] = { { "debug", 'd', POPT_ARG_NONE, &debug, 0, _("Print the raw XML-RPC output in GSSAPI mode"), NULL }, @@ -1113,6 +1115,8 @@ main(int argc, const char **argv) { _("IPA Server to use"), _("hostname") }, { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, _("Specifies where to store keytab information."), _("filename") }, + { "force", 'f', POPT_ARG_NONE, &force, 0, + _("Force the host join. Rejoin even if already joined."), NULL }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, _("LDAP password (if not using Kerberos)"), _("password") }, { "basedn", 'b', POPT_ARG_STRING, &basedn, 0, @@ -1149,7 +1153,7 @@ main(int argc, const char **argv) { } else { ret = check_perms(keytab); if (ret == 0) - ret = join(server, hostname, bindpw, basedn, keytab, quiet); + ret = join(server, hostname, bindpw, basedn, keytab, force, quiet); } exit(ret); -- 1.7.11.7
dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br fqdn: vm-078.example.com fqdn: vm-078.example.com ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOTFZwfVABE3UNjNgnSYRAMcfFPm7T/NiZ5z4VbyzrP+NJzjUdd+ | ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOz9Jp42qxv3QvV3QoYOeLECuPpsVM1vrL4rS4MbKuSOPa6Nlu2Q ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Li43jjUraASij+4jHM9peFF0a0vXBH7252vQELhc | ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7ifJNlX3upFCzd6Yqmug9wVIswIj7epZyXconay has_password: False has_password: False has_keytab: True has_keytab: True subject: CN=vm-078.example.com,O=EXAMPLE.COM subject: CN=vm-078.example.com,O=EXAMPLE.COM serial_number: 15 | serial_number: 16 serial_number_hex: 0xF | serial_number_hex: 0x10 issuer: CN=Certificate Authority,O=EXAMPLE.COM issuer: CN=Certificate Authority,O=EXAMPLE.COM valid_not_before: Mon Mar 04 11:11:12 2013 UTC | valid_not_before: Mon Mar 04 11:51:11 2013 UTC valid_not_after: Thu Mar 05 11:11:12 2015 UTC | valid_not_after: Thu Mar 05 11:51:11 2015 UTC md5_fingerprint: 27:7e:df:49:1c:8a:9f:d9:ce:86:4a:eb:2b:d9:e3:63 | md5_fingerprint: d7:87:8d:7c:4f:ee:2d:27:c5:91:e5:f3:ab:4e:8c:de sha1_fingerprint: 4f:d9:45:d6:75:8b:53:1c:da:df:5c:d7:de:a5:6b:c4:70:14:92:20 | sha1_fingerprint: 15:d2:9a:81:78:b2:d7:92:91:45:70:4d:b8:ff:be:95:58:24:db:fe sshpubkeyfp: 18:0A:83:16:75:F9:79:3F:AF:F3:01:71:7D:C2:84:0B (ssh-dss) | sshpubkeyfp: 92:31:BD:3E:BF:B2:27:2A:CB:08:16:4F:BB:B8:F7:8A (ssh-dss) sshpubkeyfp: 9E:03:F0:A7:D2:B9:11:C6:44:25:40:93:3B:B1:42:33 (ssh-rsa) | sshpubkeyfp: 96:A7:2E:A3:B5:13:76:00:93:0B:0C:3A:72:59:F3:6B (ssh-rsa) cn: vm-078.example.com cn: vm-078.example.com enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a krbExtraData: AAJMgTRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR | krbExtraData: AAKrijRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR krbLastPwdChange: 20130304111108Z | krbLastPwdChange: 20130304115107Z krbLastSuccessfulAuth: 20130304111115Z | krbLastSuccessfulAuth: 20130304115114Z krbPrincipalName: host/vm-078.example....@example.com krbPrincipalName: host/vm-078.example....@example.com managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng objectClass: ipaobject objectClass: ipaobject objectClass: nshost objectClass: nshost objectClass: ipahost objectClass: ipahost objectClass: pkiuser objectClass: pkiuser objectClass: ipaservice objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipalaux objectClass: krbprincipal objectClass: krbprincipal objectClass: ieee802device objectClass: ieee802device objectClass: ipasshhost objectClass: ipasshhost objectClass: top objectClass: top objectClass: ipaSshGroupOfPubKeys objectClass: ipaSshGroupOfPubKeys serverHostName: vm-078 serverHostName: vm-078 userCertificate: MIIFHTCCBAWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU | userCertificate: MIIFHTCCBAWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel