[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Martin Basti mbasti at redhat.com
Tue Dec 8 09:31:09 UTC 2015 


On 08.12.2015 08:52, Jan Cholasta wrote:
> On 7.12.2015 21:11, Martin Basti wrote:
>>
>>
>> On 07.12.2015 08:21, Jan Cholasta wrote:
>>> On 2.12.2015 16:23, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patch fixes 
>>>> <https://fedorahosted.org/freeipa/ticket/5498>.
>>>>
>>>> Note that you still have to provide admin password in
>>>> ipa-replica-install, either using --admin-password or interactively,
>>>> because:
>>>>
>>>> a) Admin password is required for replica promotion. This will be 
>>>> fixed
>>>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>>>
>>>> Patches are on the list:
>>>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>. 
>>>>
>>>>
>>>
>>> Pushed.
>>>
>>>>
>>>>
>>>> b) Admin password is required for connection check. This will be fixed
>>>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>>>
>>> Martin Basti pointed out that admin password should not be asked
>>> interactively during OTP replica promotion. Fixed.
>>>
>>> Updated and rebased patch attached.
>>>
>>>
>>>
>>
>> 1)
>> [root at vm-058-138 ~]# ipa-replica-install --server
>> vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
>> abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
>> Configuring client side components
>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>>
>> IMO password should be asked first, before any installation begins (IMO
>> this is for conncheck)
>
> The same thing happens without my patch. Could you file a ticket?
https://fedorahosted.org/freeipa/ticket/5525

>
>>
>> 2)
>> When host is not in ipaservers hostgroup. Also I would expect different
>> error message
>> ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
>> --domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>> --skip-conncheck
>>
>> ....
>>      step()
>>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 352, in <lambda>
>>      step = lambda: next(self.__gen)
>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>>      six.reraise(*exc_info)
>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>>      value = gen.send(prev_value)
>>    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>> line 63, in _install
>>      for nothing in self._installer(self.parent):
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>
>> line 1507, in main
>>      promote_check(self)
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>
>> line 374, in decorated
>>      func(installer)
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>
>> line 1002, in promote_check
>>      conn.connect(ccache=installer._ccache)
>>    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
>> in connect
>>      conn = self.create_connection(*args, **kw)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
>> line 199, in create_connection
>>      principal = krb_utils.get_principal(ccache_name=ccache)
>>    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
>> 184, in get_principal
>>      raise errors.CCacheError(message=unicode(e))
>>
>> 2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
>> exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
>> code may provide more information, Minor (2529639053): No Kerberos
>> credentials available
>> 2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
>> Minor code may provide more information, Minor (2529639053): No Kerberos
>> credentials available
>
> Fixed.
>
>>
>>
>> 3)
>> This case is not handle very well:
>> a) install client with OTP password
>> b) install replica with the same OTP password (when host is no in
>> ipaservers group, if host is in ipaservers group it works)
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Major
>> (851968): Unspecified GSS failure.  Minor code may provide more
>> information, Minor (2529639053): No Kerberos credentials available
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more information
>
> This is the same as 2).
>
>>
>> 4)
>> This is not user friendly
>> I used wrong OTP password, can we somehow propagate the actual error
>> from client install to stderr?
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
>> client side components failed!
>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>> '--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
>> 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
>> returned non-zero exit status 1
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more information
>
> The same thing happens without my patch for any other error. Could you 
> file a ticket?

https://fedorahosted.org/freeipa/ticket/5527

>
> Updated patch attached.
>
Working on review

More information about the Freeipa-devel mailing list