subject:"\[Freeipa\-devel\] \[PATCH 522\] replica promotion\: allow OTP bulk client enrollment"

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-09 Thread Martin Basti




On 08.12.2015 13:19, Martin Basti wrote:



On 08.12.2015 13:09, Jan Cholasta wrote:

On 8.12.2015 12:49, Martin Basti wrote:



On 08.12.2015 10:31, Martin Basti wrote:



On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or 
interactively,

because:

a) Admin password is required for replica promotion. This will be
fixed
with .

Patches are on the list:
. 






Pushed.




b) Admin password is required for connection check. This will be
fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation 
begins (IMO

this is for conncheck)


The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525





2)
When host is not in ipaservers hostgroup. Also I would expect 
different

error message
ipa-replica-install --server 
vm-058-137.abc.idm.lab.eng.brq.redhat.com

--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck


 step()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py",

line 352, in 
 step = lambda: next(self.__gen)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py",

line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py",

line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/common.py",

line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", 
line 66,

in connect
 conn = self.create_connection(*args, **kw)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",

line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. 
Minor

code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log

for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR 
Configuration of

client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' 
'--server'

'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log

for more information


The same thing happens without my patch for any other error. Could
you file a ticket?


https://fedorahosted.org/freeipa/ticket/5527



Up

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-08 Thread Martin Basti




On 08.12.2015 13:09, Jan Cholasta wrote:

On 8.12.2015 12:49, Martin Basti wrote:



On 08.12.2015 10:31, Martin Basti wrote:



On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or 
interactively,

because:

a) Admin password is required for replica promotion. This will be
fixed
with .

Patches are on the list:
. 






Pushed.




b) Admin password is required for connection check. This will be
fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins 
(IMO

this is for conncheck)


The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525





2)
When host is not in ipaservers hostgroup. Also I would expect 
different

error message
ipa-replica-install --server 
vm-058-137.abc.idm.lab.eng.brq.redhat.com

--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/common.py",

line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 



line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 
66,

in connect
 conn = self.create_connection(*args, **kw)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",

line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. 
Minor

code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log

for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR 
Configuration of

client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log

for more information


The same thing happens without my patch for any other error. Could
you file a ticket?


https://fedorahosted.org/freeipa/ticket/5527



Updated patch attached.


Working on review



Is this

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-08 Thread Jan Cholasta


On 8.12.2015 12:49, Martin Basti wrote:



On 08.12.2015 10:31, Martin Basti wrote:



On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be
fixed
with .

Patches are on the list:
.




Pushed.




b) Admin password is required for connection check. This will be
fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)


The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525





2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",

line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
 conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


The same thing happens without my patch for any other error. Could
you file a ticket?


https://fedorahosted.org/freeipa/ticket/5527



Updated patch attached.


Working on review



Is this expected that client will be installed even if there is not
enough pri

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-08 Thread Martin Basti




On 08.12.2015 10:31, Martin Basti wrote:



On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes 
.


Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be 
fixed

with .

Patches are on the list:
. 





Pushed.




b) Admin password is required for connection check. This will be 
fixed

with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)


The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525





2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
 conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No 
Kerberos

credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


The same thing happens without my patch for any other error. Could 
you file a ticket?


https://fedorahosted.org/freeipa/ticket/5527



Updated patch attached.


Working on review



Is this expected that client will be installed even if there is not 
enough privileges to install repl

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-08 Thread Martin Basti




On 08.12.2015 08:52, Jan Cholasta wrote:

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes 
.


Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be 
fixed

with .

Patches are on the list:
. 





Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)


The same thing happens without my patch. Could you file a ticket?

https://fedorahosted.org/freeipa/ticket/5525





2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 


line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
 conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERRORMajor
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


The same thing happens without my patch for any other error. Could you 
file a ticket?


https://fedorahosted.org/freeipa/ticket/5527



Updated patch attached.


Working on review

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://w

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-07 Thread Jan Cholasta


On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with .

Patches are on the list:
.



Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)


The same thing happens without my patch. Could you file a ticket?



2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
 conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERRORMajor
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


The same thing happens without my patch for any other error. Could you 
file a ticket?


Updated patch attached.

--
Jan Cholasta
From 6652e17c952405c5cfcd21ac5aed07e40a1d3284 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 ipaserver/install/server/replicainstall.py | 45

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-07 Thread Martin Basti




On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with .

Patches are on the list:
. 



Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked 
interactively during OTP replica promotion. Fixed.


Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server 
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain 
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca

Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO 
this is for conncheck)


2)
When host is not in ipaservers hostgroup. Also I would expect different 
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com 
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca 
--skip-conncheck



step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 352, in 

step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 63, in _install

for nothing in self._installer(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1507, in main

promote_check(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 374, in decorated

func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1002, in promote_check

conn.connect(ccache=installer._ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, 
in connect

conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", 
line 199, in create_connection

principal = krb_utils.get_principal(ccache_name=ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 
184, in get_principal

raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed, 
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor 
code may provide more information, Minor (2529639053): No Kerberos 
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure. 
Minor code may provide more information, Minor (2529639053): No Kerberos 
credentials available



3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in 
ipaservers group, if host is in ipaservers group it works)


ipa.ipapython.install.cli.install_tool(Replica): ERRORMajor 
(851968): Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error 
from client install to stderr?


ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of 
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' 
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server' 
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba'' 
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-06 Thread Jan Cholasta


On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with .

Patches are on the list:
.


Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked 
interactively during OTP replica promotion. Fixed.


Updated and rebased patch attached.

--
Jan Cholasta
From 14ea04301a876d2f955600ba7f482a7d492b7903 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 ipaserver/install/server/replicainstall.py | 64 ++
 1 file changed, 39 insertions(+), 25 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8a9120a..96c470c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -776,7 +776,9 @@ def ensure_enrolled(installer):
 config = installer._config
 
 # Perform only if we have the necessary options
-if not any([installer.admin_password, installer.keytab]):
+if not any([installer.password,
+installer.admin_password,
+installer.keytab]):
 sys.exit("IPA client is not configured on this system.\n"
  "You must join the system by running 'ipa-client-install' "
  "first. Alternatively, you may specify enrollment related "
@@ -786,6 +788,8 @@ def ensure_enrolled(installer):
 service.print_msg("Configuring client side components")
 try:
 args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+stdin = None
+
 if installer.domain_name:
 args.extend(["--domain", installer.domain_name])
 if installer.server:
@@ -795,12 +799,16 @@ def ensure_enrolled(installer):
 if installer.host_name:
 args.extend(["--hostname", installer.host_name])
 
-if installer.admin_password:
-# Always set principal if password was set explicitly,
-# the password itself gets passed directly via stdin
-args.extend(["--principal", installer.principal or "admin"])
-if installer.keytab:
-args.extend(["--keytab", installer.keytab])
+if installer.password:
+args.extend(["--password", installer.password])
+else:
+if installer.admin_password:
+# Always set principal if password was set explicitly,
+# the password itself gets passed directly via stdin
+args.extend(["--principal", installer.principal or "admin"])
+stdin = installer.admin_password
+if installer.keytab:
+args.extend(["--keytab", installer.keytab])
 
 if installer.no_dns_sshfp:
 args.append("--no-dns-sshfp")
@@ -813,7 +821,7 @@ def ensure_enrolled(installer):
 if installer.mkhomedir:
 args.append("--mkhomedir")
 
-ipautil.run(args, stdin=installer.admin_password or None)
+ipautil.run(args, stdin=stdin)
 
 except Exception as e:
 sys.exit("Configuration of client side components failed!\n"
@@ -972,16 +980,17 @@ def promote_check(installer):
 add_to_ipaservers = not result
 
 if add_to_ipaservers:
-if installer._ccache is None:
-del os.environ['KRB5CCNAME']
-else:
-os.environ['KRB5CCNAME'] = installer._ccache
-
-try:
-installutils.check_creds(options, config.realm_name)
-installer._ccache = os.environ.get('KRB5CCNAME')
-finally:
-os.environ['KRB5CCNAME'] = ccache
+if not options.password or options.admin_password:
+if installer._ccache is None:
+del os.environ['KRB5CCNAME']
+else:
+os.environ['KRB5CCNAME'] = installer._ccache
+
+try:
+installutils.check_creds(options, config.realm_name)
+installer._ccache = os.environ.get('KRB5CCNAME')
+finally:
+os.environ['KRB5CCNAME'] = ccache
 
 conn.disconnect()
 conn.connect(ccache=installer._ccache)
@@ -1348,11 +1357,14 @@ class Replica(BaseServer):
  "multiple times"),
 )
 
-dm_password = Knob(
+dm_password = None
+
+password = Knob(
 BaseServer.dm_pas

[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

2015-12-02 Thread Jan Cholasta


Hi,

the attached patch fixes .

Note that you still have to provide admin password in 
ipa-replica-install, either using --admin-password or interactively, 
because:


a) Admin password is required for replica promotion. This will be fixed 
with .


Patches are on the list: 
.


b) Admin password is required for connection check. This will be fixed 
with .


Honza

--
Jan Cholasta
From 251df9d82f59183cec876ed2dbc6efe05d21ffb1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 ipaserver/install/server/replicainstall.py | 42 +++---
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 74069f0..0f0a9c7 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -756,7 +756,9 @@ def ensure_enrolled(installer):
 config = installer._config
 
 # Perform only if we have the necessary options
-if not any([installer.admin_password, installer.keytab]):
+if not any([installer.password,
+installer.admin_password,
+installer.keytab]):
 sys.exit("IPA client is not configured on this system.\n"
  "You must join the system by running 'ipa-client-install' "
  "first. Alternatively, you may specify enrollment related "
@@ -766,6 +768,8 @@ def ensure_enrolled(installer):
 service.print_msg("Configuring client side components")
 try:
 args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+stdin = None
+
 if installer.domain_name:
 args.extend(["--domain", installer.domain_name])
 if installer.server:
@@ -775,12 +779,16 @@ def ensure_enrolled(installer):
 if installer.host_name:
 args.extend(["--hostname", installer.host_name])
 
-if installer.admin_password:
-# Always set principal if password was set explicitly,
-# the password itself gets passed directly via stdin
-args.extend(["--principal", installer.principal or "admin"])
-if installer.keytab:
-args.extend(["--keytab", installer.keytab])
+if installer.password:
+args.extend(["--password", installer.password])
+else:
+if installer.admin_password:
+# Always set principal if password was set explicitly,
+# the password itself gets passed directly via stdin
+args.extend(["--principal", installer.principal or "admin"])
+stdin = installer.admin_password
+if installer.keytab:
+args.extend(["--keytab", installer.keytab])
 
 if installer.no_dns_sshfp:
 args.append("--no-dns-sshfp")
@@ -793,7 +801,7 @@ def ensure_enrolled(installer):
 if installer.mkhomedir:
 args.append("--mkhomedir")
 
-ipautil.run(args, stdin=installer.admin_password or None)
+ipautil.run(args, stdin=stdin)
 
 except Exception as e:
 sys.exit("Configuration of client side components failed!\n"
@@ -1164,11 +1172,14 @@ class Replica(BaseServer):
  "multiple times"),
 )
 
-dm_password = Knob(
+dm_password = None
+
+password = Knob(
 BaseServer.dm_password,
-description="Directory Manager (existing master) password",
-cli_name='password',
-cli_metavar='PASSWORD',
+description=("Password to join the IPA realm. Assumes bulk password "
+ "unless principal is also set. (domain level 1+)\n"
+ "Directory Manager (existing master) password. "
+ "(domain level 0)"),
 )
 
 admin_password = Knob(
@@ -1246,6 +1257,10 @@ class Replica(BaseServer):
 
 if self.replica_file is None:
 self.promote = True
+
+if self.principal and not self.admin_password:
+self.admin_password = self.password
+self.password = None
 else:
 if not ipautil.file_exists(self.replica_file):
 raise RuntimeError("Replica file %s does not exist"
@@ -1258,7 +1273,6 @@ class Replica(BaseServer):
 CLIKnob(self.domain_name, '--domain'),
 CLIKnob(self.host_name, '--hostname'),
 CLIKnob(self.server, '--server'),
-CLIKnob(self.admin_password, '--admin-password'),
 CLIKnob(self.principal, '--principal'),
 )
 
@@ -1281,8 +1295,6 @@ class Replica(BaseServer):
 "You must specif

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

9 matches

Site Navigation

Mail list logo

Footer information