[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

Nathaniel McCallum npmccallum at redhat.com
Tue Jun 23 18:33:16 UTC 2015 

I’m sold. ACK

Simo, speak now or forever hold your peace (or patch it later).


> On Jun 23, 2015, at 2:20 PM, Christian Heimes <cheimes at redhat.com> wrote:
> 
> On 2015-06-23 19:55, Nathaniel McCallum wrote:
>> The behavior I'm worried about here is this:
>> 1. Admin installs or updates FreeIPA (w/ kdcproxy)
>> 2. Admin disables kdcproxy
>> 3. Admin updates to the next version
>> 
>> After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it).
>> 
>> Other than this, I'm happy. So if we can answer this, it is an ack from me.
> 
> That is covered by the check is_kdcproxy_configured(). It checks for the
> presence of a file. That file is created during installation or at the
> first update.
> 
> 
> Let's see if the check works. At first I'm disabling kdcproxy:
> 
> # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
> Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif'
> Updating existing entry:
> cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
> Done
> Update complete
> The ipa-ldap-updater command was successful
> 
> # systemctl restart httpd.service
> 
> # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>404 Not Found</title>
> </head><body>
> <h1>Not Found</h1>
> <p>The requested URL /KdcProxy was not found on this server.</p>
> </body></html>
> 
> # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
> stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file
> or directory
> 
> 
> Next I'm running the updater and check the feature again:
> 
> # ipa-server-upgrade
> ...
> # systemctl restart httpd.service
> 
> # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>404 Not Found</title>
> </head><body>
> <h1>Not Found</h1>
> <p>The requested URL /KdcProxy was not found on this server.</p>
> </body></html>
> 
> # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
> stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file
> or directory
> 
> 
> KDC proxy is still disable. Let's enable it and check again.
> 
> # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
> Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif'
> Updating existing entry:
> cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
> Done
> Update complete
> The ipa-ldap-updater command was successful
> 
> # systemctl restart httpd.service
> 
> # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
> Method not allowed (GET)
> 
> # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
>  File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ ->
> ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’
>  Size: 36              Blocks: 0          IO Block: 4096   symbolic link
> Device: fd01h/64769d    Inode: 398238      Links: 1
> ...
> 
>

More information about the Freeipa-devel mailing list