[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Rob Crittenden
rcritten at redhat.com
Tue Sep 11 20:39:46 UTC 2012
Petr Viktorin wrote:
> When installing the client, we need to take extra case to only contact
> the one server we're installing against. Otherwise, in the real world,
> we might hit a server that hasn't replicated info about the client yet.
>
> This patch fixes a bug where kinit attempted to contact a KDC that
> didn't have the host principal yet.
>
>
> To reproduce:
>
> - Install a "master" and "replica"
> - Change the Kerberos DNS entries to only point to the replica:
> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
> $REPLICA_HOSTNAME"
> done
> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
> $MASTER_HOSTNAME"
> ipa dnsrecord-find $DOMAIN # check
> - Sever communication between the hosts to disable replication:
> (on master)
> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
> - On client machine, put master as nameserver in /etc/resolv.conf &
> install client
>
> This will fail without the patch.
>
>
> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
> explain the bug. I learned a lot.
>
> https://fedorahosted.org/freeipa/ticket/2982
ACK, pushed to master and ipa-3-0
rob
More information about the Freeipa-devel
mailing list