[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Martin Basti mbasti at redhat.com
Wed Dec 9 09:17:03 UTC 2015 


On 08.12.2015 13:19, Martin Basti wrote:
>
>
> On 08.12.2015 13:09, Jan Cholasta wrote:
>> On 8.12.2015 12:49, Martin Basti wrote:
>>>
>>>
>>> On 08.12.2015 10:31, Martin Basti wrote:
>>>>
>>>>
>>>> On 08.12.2015 08:52, Jan Cholasta wrote:
>>>>> On 7.12.2015 21:11, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 07.12.2015 08:21, Jan Cholasta wrote:
>>>>>>> On 2.12.2015 16:23, Jan Cholasta wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> the attached patch fixes
>>>>>>>> <https://fedorahosted.org/freeipa/ticket/5498>.
>>>>>>>>
>>>>>>>> Note that you still have to provide admin password in
>>>>>>>> ipa-replica-install, either using --admin-password or 
>>>>>>>> interactively,
>>>>>>>> because:
>>>>>>>>
>>>>>>>> a) Admin password is required for replica promotion. This will be
>>>>>>>> fixed
>>>>>>>> with <https://fedorahosted.org/freeipa/ticket/5401>.
>>>>>>>>
>>>>>>>> Patches are on the list:
>>>>>>>> <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>. 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Pushed.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> b) Admin password is required for connection check. This will be
>>>>>>>> fixed
>>>>>>>> with <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>>>
>>>>>>> Martin Basti pointed out that admin password should not be asked
>>>>>>> interactively during OTP replica promotion. Fixed.
>>>>>>>
>>>>>>> Updated and rebased patch attached.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> 1)
>>>>>> [root at vm-058-138 ~]# ipa-replica-install --server
>>>>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
>>>>>> abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>>>>>> Configuring client side components
>>>>>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>>>>>>
>>>>>> IMO password should be asked first, before any installation 
>>>>>> begins (IMO
>>>>>> this is for conncheck)
>>>>>
>>>>> The same thing happens without my patch. Could you file a ticket?
>>>> https://fedorahosted.org/freeipa/ticket/5525
>>>>
>>>>>
>>>>>>
>>>>>> 2)
>>>>>> When host is not in ipaservers hostgroup. Also I would expect 
>>>>>> different
>>>>>> error message
>>>>>> ipa-replica-install --server 
>>>>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com
>>>>>> --domain abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
>>>>>> --skip-conncheck
>>>>>>
>>>>>> ....
>>>>>>      step()
>>>>>>    File 
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>>>> line 352, in <lambda>
>>>>>>      step = lambda: next(self.__gen)
>>>>>>    File 
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>>>> line 81, in run_generator_with_yield_from
>>>>>>      six.reraise(*exc_info)
>>>>>>    File 
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>>>> line 59, in run_generator_with_yield_from
>>>>>>      value = gen.send(prev_value)
>>>>>>    File 
>>>>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>>>>> line 63, in _install
>>>>>>      for nothing in self._installer(self.parent):
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>>
>>>>>>
>>>>>> line 1507, in main
>>>>>>      promote_check(self)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>>
>>>>>>
>>>>>> line 374, in decorated
>>>>>>      func(installer)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
>>>>>>
>>>>>>
>>>>>> line 1002, in promote_check
>>>>>>      conn.connect(ccache=installer._ccache)
>>>>>>    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", 
>>>>>> line 66,
>>>>>> in connect
>>>>>>      conn = self.create_connection(*args, **kw)
>>>>>>    File 
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
>>>>>> line 199, in create_connection
>>>>>>      principal = krb_utils.get_principal(ccache_name=ccache)
>>>>>>    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
>>>>>> 184, in get_principal
>>>>>>      raise errors.CCacheError(message=unicode(e))
>>>>>>
>>>>>> 2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
>>>>>> exception: CCacheError: Major (851968): Unspecified GSS failure. 
>>>>>> Minor
>>>>>> code may provide more information, Minor (2529639053): No Kerberos
>>>>>> credentials available
>>>>>> 2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
>>>>>> Minor code may provide more information, Minor (2529639053): No
>>>>>> Kerberos
>>>>>> credentials available
>>>>>
>>>>> Fixed.
>>>>>
>>>>>>
>>>>>>
>>>>>> 3)
>>>>>> This case is not handle very well:
>>>>>> a) install client with OTP password
>>>>>> b) install replica with the same OTP password (when host is no in
>>>>>> ipaservers group, if host is in ipaservers group it works)
>>>>>>
>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
>>>>>> (851968): Unspecified GSS failure.  Minor code may provide more
>>>>>> information, Minor (2529639053): No Kerberos credentials available
>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>>>>>> ipa-replica-install command failed. See 
>>>>>> /var/log/ipareplica-install.log
>>>>>> for more information
>>>>>
>>>>> This is the same as 2).
>>>>>
>>>>>>
>>>>>> 4)
>>>>>> This is not user friendly
>>>>>> I used wrong OTP password, can we somehow propagate the actual error
>>>>>> from client install to stderr?
>>>>>>
>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR 
>>>>>> Configuration of
>>>>>> client side components failed!
>>>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>>>>>> '--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' 
>>>>>> '--server'
>>>>>> 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
>>>>>> returned non-zero exit status 1
>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>>>>>> ipa-replica-install command failed. See 
>>>>>> /var/log/ipareplica-install.log
>>>>>> for more information
>>>>>
>>>>> The same thing happens without my patch for any other error. Could
>>>>> you file a ticket?
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5527
>>>>
>>>>>
>>>>> Updated patch attached.
>>>>>
>>>> Working on review
>>>>
>>>
>>> Is this expected that client will be installed even if there is not
>>> enough privileges to install replica?
>>>
>>> # ipa-replica-install --server
>>> vm-058-137.abc.idm.lab.eng.brq.redhat.com  --domain
>>> abc.idm.lab.eng.brq.redhat.com --password bubak --skip-conncheck
>>> Configuring client side components
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>> Insufficient privileges to promote the server.
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>> for more information
>>
>> Yes. The check can't be done without the host keytab, which you get 
>> with ipa-client-install. If ipa-client-install wasn't monolithic, the 
>> check could be done earlier, but we are not there yet.
>>
>> The client should be probably uninstalled in case of failure, though.
>>
> ACK
>
> I will report this in a separate ticket
>
Pushed to master: faf608556427849b33f4525b9bac2e71020bb962

More information about the Freeipa-devel mailing list