Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosek wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin Ok, pushed to master without the wget change. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: > >> Martin Kosek wrote: > >>> When v2 IPA client is trying to join an IPA v1 server > >>> a strange exception is printed out to the user. This patch > >>> detects this by catching an XML-RPC error reported by ipa-join > >>> binary called in the process which fails on unexisting IPA server > >>> 'join' method. > >>> > >>> wget call had to be changed so that IPA client may get to the > >>> ipa-join step. --no-check-certificate had to be added as V1 > >>> server automatically redirects the request to self-signed secure > >>> connection. > >>> > >>> https://fedorahosted.org/freeipa/ticket/553 > >> > >> The patch is ok and applies correctly. My only thought was to download the > >> certificate directly from https:///ca.crt instead of plain http, but > >> there > >> is probably no real benefit. > >> > >> ack > >> > >> Jan > > > > Jan, thanks for the review. And yes, I could not see a benefit too. > > Since the IPA sever certificate is not a confidential information the > > secure connection is not needed. And since we do not trust the server's > > certificate in this step of installation and --no-check-certificate is > > used, a secure connection would be used for server identity validation > > either. > > > > Therefore, I would ask for the patch to be pushed. > > > > Martin > > I can't duplicate the behavior of it redirecting to the SSL port. The > /ipa/config directory is purposely excluded from the SSL redirect for > this purpose, even on v1 servers. Can we drop that part of the patch? > > rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosek wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: > Martin Kosek wrote: > > When v2 IPA client is trying to join an IPA v1 server > > a strange exception is printed out to the user. This patch > > detects this by catching an XML-RPC error reported by ipa-join > > binary called in the process which fails on unexisting IPA server > > 'join' method. > > > > wget call had to be changed so that IPA client may get to the > > ipa-join step. --no-check-certificate had to be added as V1 > > server automatically redirects the request to self-signed secure > > connection. > > > > https://fedorahosted.org/freeipa/ticket/553 > > The patch is ok and applies correctly. My only thought was to download the > certificate directly from https:///ca.crt instead of plain http, but > there > is probably no real benefit. > > ack > > Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: > When v2 IPA client is trying to join an IPA v1 server > a strange exception is printed out to the user. This patch > detects this by catching an XML-RPC error reported by ipa-join > binary called in the process which fails on unexisting IPA server > 'join' method. > > wget call had to be changed so that IPA client may get to the > ipa-join step. --no-check-certificate had to be added as V1 > server automatically redirects the request to self-signed secure > connection. > > https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 >From d3282093128b34158ceae6264cf4c53fd49130d0 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 3 Feb 2011 17:20:26 +0100 Subject: [PATCH] Detection of v1 server during ipa-client-install When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 --- ipa-client/ipa-install/ipa-client-install |8 ++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 66e4a14872bb5ccde98816fd30683e0d8500ac34..1800f28f7a3ea4daa512b8d1624ce3e5de12432d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -630,7 +630,7 @@ def main(): pass try: -run(["/usr/bin/wget", "-O", "/etc/ipa/ca.crt", "http://%s/ipa/config/ca.crt"; % cli_server]) +run(["/usr/bin/wget", "-O", "/etc/ipa/ca.crt", "--no-check-certificate", "http://%s/ipa/config/ca.crt"; % cli_server]) except CalledProcessError, e: sys.exit('Retrieving CA from %s failed.\n%s' % (cli_server, str(e))) @@ -683,7 +683,11 @@ def main(): (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) if returncode != 0: -print >>sys.stderr, "Joining realm failed: %s" % stderr, +if returncode == 17:# XML-RPC fault - possible IPA v1/v2 incompatibility +print "Joining realm failed because of failing XML-RPC request." +print " This error may be caused by incompatible server/client major versions." +else: +print >>sys.stderr, "Joining realm failed: %s" % stderr, if not options.force: return 1 print " Use ipa-getkeytab to obtain a host principal for this server." -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 >From d3282093128b34158ceae6264cf4c53fd49130d0 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 3 Feb 2011 17:20:26 +0100 Subject: [PATCH] Detection of v1 server during ipa-client-install When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 --- ipa-client/ipa-install/ipa-client-install |8 ++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 66e4a14872bb5ccde98816fd30683e0d8500ac34..1800f28f7a3ea4daa512b8d1624ce3e5de12432d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -630,7 +630,7 @@ def main(): pass try: -run(["/usr/bin/wget", "-O", "/etc/ipa/ca.crt", "http://%s/ipa/config/ca.crt"; % cli_server]) +run(["/usr/bin/wget", "-O", "/etc/ipa/ca.crt", "--no-check-certificate", "http://%s/ipa/config/ca.crt"; % cli_server]) except CalledProcessError, e: sys.exit('Retrieving CA from %s failed.\n%s' % (cli_server, str(e))) @@ -683,7 +683,11 @@ def main(): (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) if returncode != 0: -print >>sys.stderr, "Joining realm failed: %s" % stderr, +if returncode == 17:# XML-RPC fault - possible IPA v1/v2 incompatibility +print "Joining realm failed because of failing XML-RPC request." +print " This error may be caused by incompatible server/client major versions." +else: +print >>sys.stderr, "Joining realm failed: %s" % stderr, if not options.force: return 1 print " Use ipa-getkeytab to obtain a host principal for this server." -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel