Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin Ok, pushed to master without the wget change. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosek mko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.
wget call had to be changed so that IPA client may get to the
ipa-join step. --no-check-certificate had to be added as V1
server automatically redirects the request to self-signed secure
connection.
https://fedorahosted.org/freeipa/ticket/553
From d3282093128b34158ceae6264cf4c53fd49130d0 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 3 Feb 2011 17:20:26 +0100
Subject: [PATCH] Detection of v1 server during ipa-client-install
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.
wget call had to be changed so that IPA client may get to the
ipa-join step. --no-check-certificate had to be added as V1
server automatically redirects the request to self-signed secure
connection.
https://fedorahosted.org/freeipa/ticket/553
---
ipa-client/ipa-install/ipa-client-install |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 66e4a14872bb5ccde98816fd30683e0d8500ac34..1800f28f7a3ea4daa512b8d1624ce3e5de12432d 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -630,7 +630,7 @@ def main():
pass
try:
-run([/usr/bin/wget, -O, /etc/ipa/ca.crt, http://%s/ipa/config/ca.crt; % cli_server])
+run([/usr/bin/wget, -O, /etc/ipa/ca.crt, --no-check-certificate, http://%s/ipa/config/ca.crt; % cli_server])
except CalledProcessError, e:
sys.exit('Retrieving CA from %s failed.\n%s' % (cli_server, str(e)))
@@ -683,7 +683,11 @@ def main():
(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env)
if returncode != 0:
-print sys.stderr, Joining realm failed: %s % stderr,
+if returncode == 17:# XML-RPC fault - possible IPA v1/v2 incompatibility
+print Joining realm failed because of failing XML-RPC request.
+print This error may be caused by incompatible server/client major versions.
+else:
+print sys.stderr, Joining realm failed: %s % stderr,
if not options.force:
return 1
print Use ipa-getkeytab to obtain a host principal for this server.
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
