[Freeipa-devel] [PATCHES 0015-0019] changes to the way host TGT is obtained using keytab

Fri Mar 6 12:05:11 UTC 2015

This series of patches for the master/4.1 branch attempts to implement 
some of the Rob's and Petr Vobornik's ideas which originated from a 
discussion on this list regarding my original patch fixing 
https://fedorahosted.org/freeipa/ticket/4808.

I suppose that these patches are just a first iteration, we may further 
discuss if this is the right thing to do.

Below is a quote from the original discussion just to get the context:

-- 
Martin^3 Babinsky

> Martin Babinsky wrote:
>> On 03/02/2015 04:28 PM, Rob Crittenden wrote:
>>> Petr Vobornik wrote:
>>>>>>>>>> On 01/12/2015 05:45 PM, Martin Babinsky wrote:
>>>>>>>>>>> related to ticket https://fedorahosted.org/freeipa/ticket/4808
>>>>
>>>> this patch seems to be a bit forgotten.
>>>>
>>>> It works, looks fine.
>>>>
>>>> One minor issue: trailing whitespaces in the man page.
>>>>
>>>> I also wonder if it shouldn't be used in other tools which call kinit
>>>> with keytab:
>>>> * ipa-client-automount:434
>>>> * ipa-client-install:2591 (this usage should be fine since it's used for
>>>> server installation)
>>>> * dcerpc.py:545
>>>> * rpcserver.py: 971, 981 (armor for web ui forms base auth)
>>>>
>>>> Most importantly the ipa-client-automount because it's called from
>>>> ipa-client-install (if location is specified) and therefore it might
>>>> fail during client installation.
>>>>
>>>> Or also, kinit call with admin creadentials worked for the user but I
>>>> wonder if it was just a coincidence and may break under slightly
>>>> different but similar conditions.
>>>
>>> I think that's a fine idea. In fact there is already a function that
>>> could be extended, kinit_hostprincipal().
>>>
>>> rob
>>>
>>
>> So in principle we could add multiple TGT retries to
>> "kinit_hostprincipal()" and then plug this function to all the places
>> Petr mentioned in order to provide this functionality each time TGT is
>> requested using keytab.
>>
>> Do I understand it correctly?
>>
>
> Honestly I think I'd only do the retries on client installation.  I
> don't know that the other uses would really benefit or need this.
>
> But this is an opportunity to consolidate some code, so I guess the
> approach I'd take is to add an option to kinit_hostprincipal of
> retries=0 so that only a single kinit is done. The client installers
> would pass in some value.
>
> This change is quite a bit more invasive but it's also early in the
> release cycle so the risk will be spread out.
>
> rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0015-1-modifications-to-ipautil.kinit_hostprincipal.patch
Type: text/x-patch
Size: 3501 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150306/de2324f7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0016-1-ipa-client-install-try-to-get-host-TGT-several-times.patch
Type: text/x-patch
Size: 6906 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150306/de2324f7/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0017-1-ipa-client-automount-use-updated-ipautil.kinit_hostp.patch
Type: text/x-patch
Size: 1450 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150306/de2324f7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0018-1-rpcserver.py-use-ipautil.kinit_hostprincipal-to-obta.patch
Type: text/x-patch
Size: 1260 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150306/de2324f7/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0019-1-updated-existing-calls-to-ipautil.kinit_hostprincipa.patch
Type: text/x-patch
Size: 6756 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150306/de2324f7/attachment-0004.bin>