[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Petr Viktorin
pviktori at redhat.com
Wed Sep 12 11:20:03 UTC 2012
On 09/11/2012 10:39 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> When installing the client, we need to take extra case to only contact
>> the one server we're installing against. Otherwise, in the real world,
>> we might hit a server that hasn't replicated info about the client yet.
>>
>> This patch fixes a bug where kinit attempted to contact a KDC that
>> didn't have the host principal yet.
>>
>>
>> To reproduce:
>>
>> - Install a "master" and "replica"
>> - Change the Kerberos DNS entries to only point to the replica:
>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>> $REPLICA_HOSTNAME"
>> done
>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>> $MASTER_HOSTNAME"
>> ipa dnsrecord-find $DOMAIN # check
>> - Sever communication between the hosts to disable replication:
>> (on master)
>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>> - On client machine, put master as nameserver in /etc/resolv.conf &
>> install client
>>
>> This will fail without the patch.
>>
>>
>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>> explain the bug. I learned a lot.
>>
>> https://fedorahosted.org/freeipa/ticket/2982
>
> ACK, pushed to master and ipa-3-0
>
> rob
>
The patch broke server installs. Please revert it if you're having
trouble while I look into it.
--
Petr³
More information about the Freeipa-devel
mailing list