[Freeipa-devel] [PATCH] 0070 Ask for admin password in ipa-adtrust-install
Petr Viktorin
pviktori at redhat.com
Thu Aug 23 14:26:01 UTC 2012
On 08/17/2012 11:04 AM, Alexander Bokovoy wrote:
> Hi,
>
> The credentials of the admin user will be used to obtain Kerberos ticket
> before configuring cross-realm trusts support and afterwards, to
> ensure that the ticket contains MS-PAC information required to actually
> add a trust with Active Directory domain via 'ipa trust-add --type=ad'
> command.
>
> We discussed few other approaches with Simo and decided to go for this
> one as the simplest. By default Kerberos tickets issued in IPA install
> are not renewable so it is not possible to use 'kinit -R' to renew
> existing ticket. Another approach was to modify our KDB driver to attach
> MS-PAC to selected service tickets rather than to TGT but this means we
> are losing advantage of 'caching' MS-PAC creation (which may be costly
> due to LDAP lookups for gathering group membership) as part of TGT
> ticket.
>
> In the end, adding two options to ipa-adtrust-install which is run only
> once is simpler.
>
> -A (--admin-name, defaults to 'admin') allows to specify admin user
> -a (--admin-password) allows to specify admin user's password
>
> If admin password is not specified, existing default ccache credentials
> are used and warning message about need to re-kinit is shown at the end.
>
> Unattended install is treated as if admin password was not specified.
>
> http://fedorahosted.org/freeipa/ticket/2852
>
Looks good, ACK. Just put in spaces after the commas before you push:
+ admin_password = read_password(admin_name,confirm=False,validate=None)
--
Petr³
More information about the Freeipa-devel
mailing list