Re: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck

[Florence Blanc-Renaud]

On 06/06/2016 07:18 PM, Martin Basti wrote:



On 02.06.2016 14:58, Florence Blanc-Renaud wrote:

Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH 
connection to the master, so that the username is always fully qualified.

https://fedorahosted.org/freeipa/ticket/5812
--
Florence Blanc-Renaud
Identity Management Team, Red Hat



LGTM, but because current issues with replica install in master 
branch, I couldn't test it and I would like to be sure that 
ipa-replica-install using NTP will work too


Just little nitpick, for better readibility, 'command' should be on 
new line
-            '%s@%s' % (self.user, self.addr), command
+            '-o User=%s' % self.user,
+            '%s' % self.addr, command

Martin^2

Hi Martin,

thanks for the review. I am attaching a new patch with your suggestion. 
Just for my record, what would be the command-line options to test the 
scenario you're referring to?

Flo.

From c044d89b789c91384ac0c648e1f2eee88cac4cf3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Wed, 1 Jun 2016 17:42:48 +0200
Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck

ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes <principal>@<master hostname> \
    echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal ad...@example.com).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
    [sssd]
    default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes -o User=<principal> \
    <master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812
---
 install/tools/ipa-replica-conncheck | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdf08d63127614a9b26995026e3c25806003f5a0..991f4e429dd1df7036b4a1c0175ca5daaea521ad 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,9 @@ class SshExec(object):
             '-o StrictHostKeychecking=no',
             '-o UserKnownHostsFile=%s' % tmpf.name,
             '-o GSSAPIAuthentication=yes',
-            '%s@%s' % (self.user, self.addr), command
+            '-o User=%s' % self.user,
+            '%s' % self.addr,
+            command
         ]
         if verbose:
             cmd.insert(1, '-v')
@@ -517,7 +519,8 @@ def main():
             except Exception:
                 print_info("Retrying using SSH...")
 
-                user = principal.partition('@')[0]
+                # Ticket 5812 Always qualify requests for admin
+                user = principal
                 ssh = SshExec(user, options.master)
 
                 print_info("Check SSH connection to remote master")
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code