[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Jan Cholasta jcholast at redhat.com
Tue Dec 8 12:09:53 UTC 2015 

On 8.12.2015 12:49, Martin Basti wrote:
>
>
> On 08.12.2015 10:31, Martin Basti wrote:
>>
>>
>> On 08.12.2015 08:52, Jan Cholasta wrote:
>>> On 7.12.2015 21:11, Martin Basti wrote:
>>>>
>>>>
>>>> On 07.12.2015 08:21, Jan Cholasta wrote:
>>>>> On 2.12.2015 16:23, Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> the attached patch fixes
>>>>>> <https://fedorahosted.org/freeipa/ticket/5498>.
>>>>>>
>>>>>> Note that you still have to provide admin password in
>>>>>> ipa-replica-install, either using --admin-password or interactively,
>>>>>> because:
>>>>>>
>>>>>> a) Admin password is required for replica promotion. This will be
>>>>>> fixed
>>>>>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>>>>>
>>>>>> Patches are on the list:
>>>>>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.
>>>>>>
>>>>>>
>>>>>
>>>>> Pushed.
>>>>>
>>>>>>
>>>>>>
>>>>>> b) Admin password is required for connection check. This will be
>>>>>> fixed
>>>>>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>
>>>>> Martin Basti pointed out that admin password should not be asked
>>>>> interactively during OTP replica promotion. Fixed.
>>>>>
>>>>> Updated and rebased patch attached.
>>>>>
>>>>>
>>>>>
>>>>
>>>> 1)
>>>> [root at vm-058-138 ~]# ipa-replica-install --server
>>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
>>>> abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
>>>> Configuring client side components
>>>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>>>>
>>>> IMO password should be asked first, before any installation begins (IMO
>>>> this is for conncheck)
>>>
>>> The same thing happens without my patch. Could you file a ticket?
>> https://fedorahosted.org/freeipa/ticket/5525
>>
>>>
>>>>
>>>> 2)
>>>> When host is not in ipaservers hostgroup. Also I would expect different
>>>> error message
>>>> ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
>>>> --domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>>>> --skip-conncheck
>>>>
>>>> ....
>>>>      step()
>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 352, in <lambda>
>>>>      step = lambda: next(self.__gen)
>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 81, in run_generator_with_yield_from
>>>>      six.reraise(*exc_info)
>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 59, in run_generator_with_yield_from
>>>>      value = gen.send(prev_value)
>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>>> line 63, in _install
>>>>      for nothing in self._installer(self.parent):
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>>
>>>> line 1507, in main
>>>>      promote_check(self)
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>>
>>>> line 374, in decorated
>>>>      func(installer)
>>>>    File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>>
>>>> line 1002, in promote_check
>>>>      conn.connect(ccache=installer._ccache)
>>>>    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
>>>> in connect
>>>>      conn = self.create_connection(*args, **kw)
>>>>    File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
>>>> line 199, in create_connection
>>>>      principal = krb_utils.get_principal(ccache_name=ccache)
>>>>    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
>>>> 184, in get_principal
>>>>      raise errors.CCacheError(message=unicode(e))
>>>>
>>>> 2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
>>>> exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
>>>> code may provide more information, Minor (2529639053): No Kerberos
>>>> credentials available
>>>> 2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
>>>> Minor code may provide more information, Minor (2529639053): No
>>>> Kerberos
>>>> credentials available
>>>
>>> Fixed.
>>>
>>>>
>>>>
>>>> 3)
>>>> This case is not handle very well:
>>>> a) install client with OTP password
>>>> b) install replica with the same OTP password (when host is no in
>>>> ipaservers group, if host is in ipaservers group it works)
>>>>
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
>>>> (851968): Unspecified GSS failure.  Minor code may provide more
>>>> information, Minor (2529639053): No Kerberos credentials available
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>>> for more information
>>>
>>> This is the same as 2).
>>>
>>>>
>>>> 4)
>>>> This is not user friendly
>>>> I used wrong OTP password, can we somehow propagate the actual error
>>>> from client install to stderr?
>>>>
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
>>>> client side components failed!
>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>>>> '--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
>>>> 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
>>>> returned non-zero exit status 1
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>>> for more information
>>>
>>> The same thing happens without my patch for any other error. Could
>>> you file a ticket?
>>
>> https://fedorahosted.org/freeipa/ticket/5527
>>
>>>
>>> Updated patch attached.
>>>
>> Working on review
>>
>
> Is this expected that client will be installed even if there is not
> enough privileges to install replica?
>
> # ipa-replica-install --server
> vm-058-137.abc.idm.lab.eng.brq.redhat.com  --domain
> abc.idm.lab.eng.brq.redhat.com --password bubak --skip-conncheck
> Configuring client side components
> ipa.ipapython.install.cli.install_tool(Replica): ERROR
> Insufficient privileges to promote the server.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information

Yes. The check can't be done without the host keytab, which you get with 
ipa-client-install. If ipa-client-install wasn't monolithic, the check 
could be done earlier, but we are not there yet.

The client should be probably uninstalled in case of failure, though.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list