Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 06:02 PM, Petr Viktorin wrote: On 09/12/2012 04:04 PM, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin I need to slow down. Thanks for the catch. Attaching another fix. Yup, this fixes it. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. -- Petr³ From d8686e7063aa749cdd6c26721820cf30658e1c30 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 12 Sep 2012 07:31:15 -0400 Subject: [PATCH] Fix server installation The fix to ticket #2982 removed a kinit call when the client was installed as part of a master. Re-add the kinit call in this case. --- ipa-client/ipa-install/ipa-client-install | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 06e07983956b87c75fbd59139ea5fcaa046d7980..392aa65a0503a2ff647a8f6b089f8dfcc3fec094 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1569,8 +1569,16 @@ def install(options, env, fstore, statestore): root_logger.info(Failed to add CA to the default NSS database.) return CLIENT_INSTALL_ERROR -# If on master assume kerberos is already configured properly. -if not options.on_master: +if options.on_master: +# If on master assume kerberos is already configured properly. +# Get the host TGT. +try: +run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', +'host/%s@%s' % (hostname, cli_realm)], env=env) +except CalledProcessError, e: +root_logger.error(Failed to obtain host TGT.) +return CLIENT_INSTALL_ERROR +else: # Configure krb5.conf fstore.backup_file(/etc/krb5.conf) if configure_krb5_conf( -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza pushed to master and ipa-3-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Definitely, a private install ccache should be used. Please open a ticket. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 04:29 PM, Simo Sorce wrote: On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Definitely, a private install ccache should be used. Please open a ticket. Simo. This is caused by a patch pushed today (in a scope of a fix for ticket 2982). Petr Viktorin is working on a fix which will be sent soon, so I think that ticket is not necessary in this case. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 04:04 PM, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin I need to slow down. Thanks for the catch. Attaching another fix. -- Petr³ From c8499bed87d40c8b12e6f938d349a4a872180242 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 12 Sep 2012 10:30:31 -0400 Subject: [PATCH] Use temporary key cache for host key in server installation This fixes an oversight in the earlier patch --- ipa-client/ipa-install/ipa-client-install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 392aa65a0503a2ff647a8f6b089f8dfcc3fec094..3b1fd1a4486ccb3e5ad7f1f42b69f8ee988d2350 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1572,9 +1572,10 @@ def install(options, env, fstore, statestore): if options.on_master: # If on master assume kerberos is already configured properly. # Get the host TGT. +os.environ['KRB5CCNAME'] = CCACHE_FILE try: run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', -'host/%s@%s' % (hostname, cli_realm)], env=env) +'host/%s@%s' % (hostname, cli_realm)]) except CalledProcessError, e: root_logger.error(Failed to obtain host TGT.) return CLIENT_INSTALL_ERROR -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel