[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Petr Viktorin
pviktori at redhat.com
Wed Sep 12 12:09:15 UTC 2012
On 09/12/2012 01:20 PM, Petr Viktorin wrote:
> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> When installing the client, we need to take extra case to only contact
>>> the one server we're installing against. Otherwise, in the real world,
>>> we might hit a server that hasn't replicated info about the client yet.
>>>
>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>> didn't have the host principal yet.
>>>
>>>
>>> To reproduce:
>>>
>>> - Install a "master" and "replica"
>>> - Change the Kerberos DNS entries to only point to the replica:
>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>> $REPLICA_HOSTNAME"
>>> done
>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>> $MASTER_HOSTNAME"
>>> ipa dnsrecord-find $DOMAIN # check
>>> - Sever communication between the hosts to disable replication:
>>> (on master)
>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>> install client
>>>
>>> This will fail without the patch.
>>>
>>>
>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>> explain the bug. I learned a lot.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2982
>>
>> ACK, pushed to master and ipa-3-0
>>
>> rob
>>
>
> The patch broke server installs. Please revert it if you're having
> trouble while I look into it.
>
>
I messed up and removed the kinit call entirely when installing on
master. Attaching a fix.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0080-Fix-server-installation.patch
Type: text/x-patch
Size: 1570 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/38d16776/attachment.bin>
More information about the Freeipa-devel
mailing list