[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Martin Basti mbasti at redhat.com
Mon Dec 7 20:11:51 UTC 2015 


On 07.12.2015 08:21, Jan Cholasta wrote:
> On 2.12.2015 16:23, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.
>>
>> Note that you still have to provide admin password in
>> ipa-replica-install, either using --admin-password or interactively,
>> because:
>>
>> a) Admin password is required for replica promotion. This will be fixed
>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>
>> Patches are on the list:
>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>. 
>>
>
> Pushed.
>
>>
>>
>> b) Admin password is required for connection check. This will be fixed
>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>
> Martin Basti pointed out that admin password should not be asked 
> interactively during OTP replica promotion. Fixed.
>
> Updated and rebased patch attached.
>
>
>

1)
[root at vm-058-138 ~]# ipa-replica-install --server 
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain 
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:

IMO password should be asked first, before any installation begins (IMO 
this is for conncheck)

2)
When host is not in ipaservers hostgroup. Also I would expect different 
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com 
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca 
--skip-conncheck

....
     step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 352, in <lambda>
     step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 63, in _install
     for nothing in self._installer(self.parent):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1507, in main
     promote_check(self)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 374, in decorated
     func(installer)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1002, in promote_check
     conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, 
in connect
     conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", 
line 199, in create_connection
     principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 
184, in get_principal
     raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed, 
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor 
code may provide more information, Minor (2529639053): No Kerberos 
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure. 
Minor code may provide more information, Minor (2529639053): No Kerberos 
credentials available


3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in 
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Major 
(851968): Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information

4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error 
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of 
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' 
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server' 
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba'' 
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151207/b3e7fc06/attachment.htm>

More information about the Freeipa-devel mailing list