[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Martin Basti mbasti at redhat.com
Tue Dec 8 12:19:40 UTC 2015 


On 08.12.2015 13:09, Jan Cholasta wrote:
> On 8.12.2015 12:49, Martin Basti wrote:
>>
>>
>> On 08.12.2015 10:31, Martin Basti wrote:
>>>
>>>
>>> On 08.12.2015 08:52, Jan Cholasta wrote:
>>>> On 7.12.2015 21:11, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 07.12.2015 08:21, Jan Cholasta wrote:
>>>>>> On 2.12.2015 16:23, Jan Cholasta wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> the attached patch fixes
>>>>>>> <https://fedorahosted.org/freeipa/ticket/5498>.
>>>>>>>
>>>>>>> Note that you still have to provide admin password in
>>>>>>> ipa-replica-install, either using --admin-password or 
>>>>>>> interactively,
>>>>>>> because:
>>>>>>>
>>>>>>> a) Admin password is required for replica promotion. This will be
>>>>>>> fixed
>>>>>>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>>>>>>
>>>>>>> Patches are on the list:
>>>>>>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>. 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Pushed.
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b) Admin password is required for connection check. This will be
>>>>>>> fixed
>>>>>>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>>
>>>>>> Martin Basti pointed out that admin password should not be asked
>>>>>> interactively during OTP replica promotion. Fixed.
>>>>>>
>>>>>> Updated and rebased patch attached.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> 1)
>>>>> [root at vm-058-138 ~]# ipa-replica-install --server
>>>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
>>>>> abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>>>>> Configuring client side components
>>>>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>>>>>
>>>>> IMO password should be asked first, before any installation begins 
>>>>> (IMO
>>>>> this is for conncheck)
>>>>
>>>> The same thing happens without my patch. Could you file a ticket?
>>> https://fedorahosted.org/freeipa/ticket/5525
>>>
>>>>
>>>>>
>>>>> 2)
>>>>> When host is not in ipaservers hostgroup. Also I would expect 
>>>>> different
>>>>> error message
>>>>> ipa-replica-install --server 
>>>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com
>>>>> --domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>>>>> --skip-conncheck
>>>>>
>>>>> ....
>>>>>      step()
>>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>>> line 352, in <lambda>
>>>>>      step = lambda: next(self.__gen)
>>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>>> line 81, in run_generator_with_yield_from
>>>>>      six.reraise(*exc_info)
>>>>>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>>> line 59, in run_generator_with_yield_from
>>>>>      value = gen.send(prev_value)
>>>>>    File 
>>>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>>>> line 63, in _install
>>>>>      for nothing in self._installer(self.parent):
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>
>>>>>
>>>>> line 1507, in main
>>>>>      promote_check(self)
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>
>>>>>
>>>>> line 374, in decorated
>>>>>      func(installer)
>>>>>    File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>
>>>>>
>>>>> line 1002, in promote_check
>>>>>      conn.connect(ccache=installer._ccache)
>>>>>    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 
>>>>> 66,
>>>>> in connect
>>>>>      conn = self.create_connection(*args, **kw)
>>>>>    File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
>>>>> line 199, in create_connection
>>>>>      principal = krb_utils.get_principal(ccache_name=ccache)
>>>>>    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
>>>>> 184, in get_principal
>>>>>      raise errors.CCacheError(message=unicode(e))
>>>>>
>>>>> 2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
>>>>> exception: CCacheError: Major (851968): Unspecified GSS failure. 
>>>>> Minor
>>>>> code may provide more information, Minor (2529639053): No Kerberos
>>>>> credentials available
>>>>> 2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
>>>>> Minor code may provide more information, Minor (2529639053): No
>>>>> Kerberos
>>>>> credentials available
>>>>
>>>> Fixed.
>>>>
>>>>>
>>>>>
>>>>> 3)
>>>>> This case is not handle very well:
>>>>> a) install client with OTP password
>>>>> b) install replica with the same OTP password (when host is no in
>>>>> ipaservers group, if host is in ipaservers group it works)
>>>>>
>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
>>>>> (851968): Unspecified GSS failure.  Minor code may provide more
>>>>> information, Minor (2529639053): No Kerberos credentials available
>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>>>>> ipa-replica-install command failed. See 
>>>>> /var/log/ipareplica-install.log
>>>>> for more information
>>>>
>>>> This is the same as 2).
>>>>
>>>>>
>>>>> 4)
>>>>> This is not user friendly
>>>>> I used wrong OTP password, can we somehow propagate the actual error
>>>>> from client install to stderr?
>>>>>
>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR 
>>>>> Configuration of
>>>>> client side components failed!
>>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>>>>> '--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
>>>>> 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
>>>>> returned non-zero exit status 1
>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>>>>> ipa-replica-install command failed. See 
>>>>> /var/log/ipareplica-install.log
>>>>> for more information
>>>>
>>>> The same thing happens without my patch for any other error. Could
>>>> you file a ticket?
>>>
>>> https://fedorahosted.org/freeipa/ticket/5527
>>>
>>>>
>>>> Updated patch attached.
>>>>
>>> Working on review
>>>
>>
>> Is this expected that client will be installed even if there is not
>> enough privileges to install replica?
>>
>> # ipa-replica-install --server
>> vm-058-137.abc.idm.lab.eng.brq.redhat.com  --domain
>> abc.idm.lab.eng.brq.redhat.com --password bubak --skip-conncheck
>> Configuring client side components
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR
>> Insufficient privileges to promote the server.
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more information
>
> Yes. The check can't be done without the host keytab, which you get 
> with ipa-client-install. If ipa-client-install wasn't monolithic, the 
> check could be done earlier, but we are not there yet.
>
> The client should be probably uninstalled in case of failure, though.
>
ACK

I will report this in a separate ticket

More information about the Freeipa-devel mailing list