[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Jan Cholasta jcholast at redhat.com
Tue Dec 8 07:52:35 UTC 2015 

On 7.12.2015 21:11, Martin Basti wrote:
>
>
> On 07.12.2015 08:21, Jan Cholasta wrote:
>> On 2.12.2015 16:23, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.
>>>
>>> Note that you still have to provide admin password in
>>> ipa-replica-install, either using --admin-password or interactively,
>>> because:
>>>
>>> a) Admin password is required for replica promotion. This will be fixed
>>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>>
>>> Patches are on the list:
>>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.
>>>
>>
>> Pushed.
>>
>>>
>>>
>>> b) Admin password is required for connection check. This will be fixed
>>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>>
>> Martin Basti pointed out that admin password should not be asked
>> interactively during OTP replica promotion. Fixed.
>>
>> Updated and rebased patch attached.
>>
>>
>>
>
> 1)
> [root at vm-058-138 ~]# ipa-replica-install --server
> vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
> abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
> Configuring client side components
> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>
> IMO password should be asked first, before any installation begins (IMO
> this is for conncheck)

The same thing happens without my patch. Could you file a ticket?

>
> 2)
> When host is not in ipaservers hostgroup. Also I would expect different
> error message
> ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
> --domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
> --skip-conncheck
>
> ....
>      step()
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 352, in <lambda>
>      step = lambda: next(self.__gen)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>      six.reraise(*exc_info)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>      value = gen.send(prev_value)
>    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
>      for nothing in self._installer(self.parent):
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1507, in main
>      promote_check(self)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 374, in decorated
>      func(installer)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1002, in promote_check
>      conn.connect(ccache=installer._ccache)
>    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
> in connect
>      conn = self.create_connection(*args, **kw)
>    File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
> line 199, in create_connection
>      principal = krb_utils.get_principal(ccache_name=ccache)
>    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
> 184, in get_principal
>      raise errors.CCacheError(message=unicode(e))
>
> 2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
> exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
> code may provide more information, Minor (2529639053): No Kerberos
> credentials available
> 2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
> Minor code may provide more information, Minor (2529639053): No Kerberos
> credentials available

Fixed.

>
>
> 3)
> This case is not handle very well:
> a) install client with OTP password
> b) install replica with the same OTP password (when host is no in
> ipaservers group, if host is in ipaservers group it works)
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Major
> (851968): Unspecified GSS failure.  Minor code may provide more
> information, Minor (2529639053): No Kerberos credentials available
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information

This is the same as 2).

>
> 4)
> This is not user friendly
> I used wrong OTP password, can we somehow propagate the actual error
> from client install to stderr?
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
> client side components failed!
> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
> '--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
> 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
> returned non-zero exit status 1
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information

The same thing happens without my patch for any other error. Could you 
file a ticket?

Updated patch attached.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-522.2-replica-promotion-allow-OTP-bulk-client-enrollment.patch
Type: text/x-patch
Size: 4741 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151208/0f340e00/attachment.bin>

More information about the Freeipa-devel mailing list