On 06/06/2016 07:18 PM, Martin Basti wrote:
On 02.06.2016 14:58, Florence Blanc-Renaud wrote:
Hi,
this patch modifies ipa-replica-conncheck when it performs the SSH
connection to the master, so that the username is always fully qualified.
https://fedorahosted.org/freeipa/ticket/5812
--
Florence Blanc-Renaud
Identity Management Team, Red Hat
LGTM, but because current issues with replica install in master
branch, I couldn't test it and I would like to be sure that
ipa-replica-install using NTP will work too
Just little nitpick, for better readibility, 'command' should be on
new line
- '%s@%s' % (self.user, self.addr), command
+ '-o User=%s' % self.user,
+ '%s' % self.addr, command
Martin^2
Hi Martin,
thanks for the review. I am attaching a new patch with your suggestion.
Just for my record, what would be the command-line options to test the
scenario you're referring to?
Flo.
From c044d89b789c91384ac0c648e1f2eee88cac4cf3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Wed, 1 Jun 2016 17:42:48 +0200
Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck
ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes <principal>@<master hostname> \
echo OK
The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal ad...@example.com).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.
The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes -o User=<principal> \
<master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master
https://fedorahosted.org/freeipa/ticket/5812
---
install/tools/ipa-replica-conncheck | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdf08d63127614a9b26995026e3c25806003f5a0..991f4e429dd1df7036b4a1c0175ca5daaea521ad 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,9 @@ class SshExec(object):
'-o StrictHostKeychecking=no',
'-o UserKnownHostsFile=%s' % tmpf.name,
'-o GSSAPIAuthentication=yes',
- '%s@%s' % (self.user, self.addr), command
+ '-o User=%s' % self.user,
+ '%s' % self.addr,
+ command
]
if verbose:
cmd.insert(1, '-v')
@@ -517,7 +519,8 @@ def main():
except Exception:
print_info("Retrying using SSH...")
- user = principal.partition('@')[0]
+ # Ticket 5812 Always qualify requests for admin
+ user = principal
ssh = SshExec(user, options.master)
print_info("Check SSH connection to remote master")
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code