[Freeipa-devel] [PATCH] 0070 Ask for admin password in ipa-adtrust-install
Alexander Bokovoy
abokovoy at redhat.com
Fri Aug 24 13:20:37 UTC 2012
On Thu, 23 Aug 2012, Petr Viktorin wrote:
>On 08/17/2012 11:04 AM, Alexander Bokovoy wrote:
>>Hi,
>>
>>The credentials of the admin user will be used to obtain Kerberos ticket
>>before configuring cross-realm trusts support and afterwards, to
>>ensure that the ticket contains MS-PAC information required to actually
>>add a trust with Active Directory domain via 'ipa trust-add --type=ad'
>>command.
>>
>>We discussed few other approaches with Simo and decided to go for this
>>one as the simplest. By default Kerberos tickets issued in IPA install
>>are not renewable so it is not possible to use 'kinit -R' to renew
>>existing ticket. Another approach was to modify our KDB driver to attach
>>MS-PAC to selected service tickets rather than to TGT but this means we
>>are losing advantage of 'caching' MS-PAC creation (which may be costly
>>due to LDAP lookups for gathering group membership) as part of TGT
>>ticket.
>>
>>In the end, adding two options to ipa-adtrust-install which is run only
>>once is simpler.
>>
>>-A (--admin-name, defaults to 'admin') allows to specify admin user
>>-a (--admin-password) allows to specify admin user's password
>>
>>If admin password is not specified, existing default ccache credentials
>>are used and warning message about need to re-kinit is shown at the end.
>>
>>Unattended install is treated as if admin password was not specified.
>>
>>http://fedorahosted.org/freeipa/ticket/2852
>>
>
>Looks good, ACK. Just put in spaces after the commas before you push:
>+ admin_password = read_password(admin_name,confirm=False,validate=None)
Thanks. Fixed this and another place and pushed to master + 3.0.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list