These patches allow a client to enroll with old servers.
The bug was reported in uploading SSH keys:
https://fedorahosted.org/freeipa/ticket/3931
but while testing against v2.1 I found and fixed another bug that
prevented the install.
See the commit messages.
With these patches I've successfully enrolled on:
- Fedora 19, master
- Fedora 19, 3.3.1-1
- Fedora 19, 3.3.1-1, CA-less
- RHEL 6.2, 2.1.3-9 (SSH keys not supported, --force for cert over HTTP)
--
PetrĀ³
From 1bbca44e773745dac321de986e47dd8c981b2d8b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 4 Oct 2013 10:23:16 +0200
Subject: [PATCH] ipa-client-install: Use direct RPC instead of api.Command
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.
RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.
https://fedorahosted.org/freeipa/ticket/3931
---
ipa-client/ipa-install/ipa-client-install | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index fdfadee765b74a537a5872e13b5211a98e3d8865..e23e6dc5836244090126781db8da5e66cb706880 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1467,9 +1467,13 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
f.close()
try:
- result = api.Command['host_mod'](unicode(hostname),
+ # Use the RPC directly so older servers are supported
+ api.Backend.xmlclient.forward(
+ 'host_mod',
+ unicode(hostname),
ipasshpubkey=[pk.openssh() for pk in pubkeys],
- updatedns=False
+ updatedns=False,
+ version=u'2.26', # this version adds support for SSH public keys
)
except errors.EmptyModlist:
pass
@@ -2373,7 +2377,13 @@ def install(options, env, fstore, statestore):
'Cannot connect to the server due to generic error: %s', str(e))
return CLIENT_INSTALL_ERROR
- remote_env = api.Command['env'](server=True)['result']
+ # Use the RPC directly so older servers are supported
+ result = api.Backend.xmlclient.forward(
+ 'env',
+ server=True,
+ version=u'2.0',
+ )
+ remote_env = result['result']
if not remote_env['enable_ra']:
disable_ra()
--
1.8.3.1
From d802a84d6e4544e2d093fc36c7fb37ed4b5fb4f5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 4 Oct 2013 00:44:51 +0200
Subject: [PATCH] ipa-client-install: Verify RPC connection with a ping
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.
Verify that commands succeed by sending a ping after connecting.
Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
---
ipa-client/ipa-install/ipa-client-install | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index e23e6dc5836244090126781db8da5e66cb706880..3c78c844b17468f347ef04198d58a12b11e4b4cb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2350,13 +2350,22 @@ def install(options, env, fstore, statestore):
pass
# Now, let's try to connect to the server's XML-RPC interface
+ connected = False
try:
api.Backend.xmlclient.connect()
+ connected = True
+ root_logger.debug('Try RPC connection')
+ api.Backend.xmlclient.forward('ping')
except errors.KerberosError, e:
+ if connected:
+ api.Backend.xmlclient.disconnect()
root_logger.info('Cannot connect to the server due to ' +
'Kerberos error: %s. Trying with delegate=True', str(e))
try:
api.Backend.xmlclient.connect(delegate=True)
+ root_logger.debug('Try RPC connection')
+ api.Backend.xmlclient.forward('ping')
+
root_logger.info('Connection with delegate=True successful')
# The remote server is not capable of Kerberos S4U2Proxy delegation
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
