[Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment

Martin Kosek mkosek at redhat.com
Thu Aug 11 11:59:18 UTC 2011 

On Thu, 2011-08-11 at 13:07 +0300, Alexander Bokovoy wrote:
> On 11.08.2011 12:19, Martin Kosek wrote:
> > This is a first shot for client enrollment fix. I had to pull the new
> > version of xmlrpc-c from koji as it is not in updates-testing repo yet:
> > 
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=257947
> > 
> > Fixed curl package is already in stable repos.
> > 
> > Unfortunately, it seems that credentials are not delegated yet. I still
> > get "did not receive Kerberos credentials" error from the server. Any
> > idea what went wrong? Adding xmlrpc-c maintainer on CC.
> 
> Looking at ipa-join.c patch, I noticed one thing:
> > diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
> > index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644
> > --- a/ipa-client/ipa-join.c
> > +++ b/ipa-client/ipa-join.c
> > @@ -149,6 +149,8 @@ callRPC(xmlrpc_env *            const envP,
> >      curlXportParmsP->no_ssl_verifypeer = 1;
> >      curlXportParmsP->no_ssl_verifyhost = 1;
> >      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
> > +    /* Enable GSSAPI credentials delegation */
> > +    curlXportParmsP->gssapi_delegation = 1;
> >  
> >      clientparms.transport = "curl";
> >      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
> 
> I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation:
> 
> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
> index 95f2939..f6ca693 100644
> --- a/ipa-client/ipa-join.c
> +++ b/ipa-client/ipa-join.c
> @@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
>      curlXportParmsP->no_ssl_verifypeer = 1;
>      curlXportParmsP->no_ssl_verifyhost = 1;
>      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
> +    /* Enable GSSAPI credentials delegation */
> +    curlXportParmsP->gssapi_delegation = 1;
> 
>      clientparms.transport = "curl";
>      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
>              curlXportParmsP;
> -    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
> +    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
>      xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
>                           &clientparms, sizeof(clientparms),
>                           &clientP);
> 

Thanks, that was the problem. I wonder how I missed it. Attaching the
updated patch, client enrollment on F-15 works.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-108-2-fix-client-enrollment.patch
Type: text/x-patch
Size: 3065 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110811/c9db30c3/attachment.bin>

More information about the Freeipa-devel mailing list