[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

Martin Kosek mkosek at redhat.com
Wed Sep 12 14:04:37 UTC 2012 

On 09/12/2012 02:58 PM, Jan Cholasta wrote:
> Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
>> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
>>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> When installing the client, we need to take extra case to only contact
>>>>> the one server we're installing against. Otherwise, in the real world,
>>>>> we might hit a server that hasn't replicated info about the client yet.
>>>>>
>>>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>>>> didn't have the host principal yet.
>>>>>
>>>>>
>>>>> To reproduce:
>>>>>
>>>>> - Install a "master" and "replica"
>>>>> - Change the Kerberos DNS entries to only point to the replica:
>>>>>      for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>>>>          ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>>>> $REPLICA_HOSTNAME"
>>>>>      done
>>>>>      ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>>>> $MASTER_HOSTNAME"
>>>>>      ipa dnsrecord-find $DOMAIN  # check
>>>>> - Sever communication between the hosts to disable replication:
>>>>>      (on master)
>>>>>      iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>>>> install client
>>>>>
>>>>> This will fail without the patch.
>>>>>
>>>>>
>>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>>>> explain the bug. I learned a lot.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2982
>>>>
>>>> ACK, pushed to master and ipa-3-0
>>>>
>>>> rob
>>>>
>>>
>>> The patch broke server installs. Please revert it if you're having
>>> trouble while I look into it.
>>>
>>>
>>
>> I messed up and removed the kinit call entirely when installing on
>> master. Attaching a fix.
>>
> 
> Works for me, ACK.
> 
> Honza
> 

When the server installation is complete, I was surprised to see I have now
host credentials in my CCACHE:

# ipa-server-install --setup-dns
...
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM

Valid starting     Expires            Service principal
09/12/12 09:28:24  09/13/12 09:28:24
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
09/12/12 09:28:24  09/13/12 09:28:24
HTTP/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
09/12/12 09:28:26  09/13/12 09:28:24
DNS/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM


I don't think this is an expected behavior, installer should use a CCACHE
separate from user's default.

Martin

More information about the Freeipa-devel mailing list