Petr Viktorin wrote:
On 03/07/2013 04:27 PM, Tomas Babej wrote:
On 03/07/2013 04:12 PM, Petr Viktorin wrote:
Thanks! I just have two more very minor nitpicks.
On 03/06/2013 01:04 PM, Tomas Babej wrote:
On 03/05/2013 02:10 PM, Petr Viktorin wrote:
Thanks! The mechanism works, but see below.
This is a RFE so it needs a design document.
http://freeipa.org/page/V3/Client_install_using_keytab
Please also add the link to the commit message.
I think you answered PetrĀ²'s security questions adequately.
Petr, note that this is a client-side change; if the keytab is
compromised the attacker can do all this manually anyway.
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -104,6 +104,8 @@ def parse_options():
[...]
@@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
except ipaclient.ntpconf.NTPConfigurationError:
pass
- if options.unattended and (options.password is None and
options.principal is None and options.prompt_password is False) and
not options.on_master:
- root_logger.error("One of password and principal are
required.")
+ if options.unattended and ((options.password is None and
+ options.principal is None and
+ options.keytab is None and
+ options.prompt_password is False)\
+ and not options.on_master):
Please also remove the inner parentheses and the backslash.
Both fixed, updated patch attached.
Tomas
ACK, thanks!
This needs related man page updates before we can push it.
Can you update the design to specifically include that the old
certificate needs to be revoked, not just that a new certificate be
issued (sort of implied, and it worked in my testing)?
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
