[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Martin Kosek
mkosek at redhat.com
Wed Sep 12 14:34:22 UTC 2012
On 09/12/2012 04:29 PM, Simo Sorce wrote:
> On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote:
>> On 09/12/2012 02:58 PM, Jan Cholasta wrote:
>>> Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
>>>> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
>>>>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> When installing the client, we need to take extra case to only contact
>>>>>>> the one server we're installing against. Otherwise, in the real world,
>>>>>>> we might hit a server that hasn't replicated info about the client yet.
>>>>>>>
>>>>>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>>>>>> didn't have the host principal yet.
>>>>>>>
>>>>>>>
>>>>>>> To reproduce:
>>>>>>>
>>>>>>> - Install a "master" and "replica"
>>>>>>> - Change the Kerberos DNS entries to only point to the replica:
>>>>>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>>>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>>>>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>>>>>> $REPLICA_HOSTNAME"
>>>>>>> done
>>>>>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>>>>>> $MASTER_HOSTNAME"
>>>>>>> ipa dnsrecord-find $DOMAIN # check
>>>>>>> - Sever communication between the hosts to disable replication:
>>>>>>> (on master)
>>>>>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>>>>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>>>>>> install client
>>>>>>>
>>>>>>> This will fail without the patch.
>>>>>>>
>>>>>>>
>>>>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>>>>>> explain the bug. I learned a lot.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/2982
>>>>>>
>>>>>> ACK, pushed to master and ipa-3-0
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> The patch broke server installs. Please revert it if you're having
>>>>> trouble while I look into it.
>>>>>
>>>>>
>>>>
>>>> I messed up and removed the kinit call entirely when installing on
>>>> master. Attaching a fix.
>>>>
>>>
>>> Works for me, ACK.
>>>
>>> Honza
>>>
>>
>> When the server installation is complete, I was surprised to see I have now
>> host credentials in my CCACHE:
>>
>> # ipa-server-install --setup-dns
>> ...
>> ==============================================================================
>> Setup complete
>>
>> Next steps:
>> 1. You must make sure these network ports are open:
>> TCP Ports:
>> * 80, 443: HTTP/HTTPS
>> * 389, 636: LDAP/LDAPS
>> * 88, 464: kerberos
>> * 53: bind
>> UDP Ports:
>> * 88, 464: kerberos
>> * 53: bind
>> * 123: ntp
>>
>> 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
>> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
>> and the web user interface.
>>
>> Be sure to back up the CA certificate stored in /root/cacert.p12
>> This file is required to create replicas. The password for this
>> file is the Directory Manager password
>>
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: host/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
>>
>> Valid starting Expires Service principal
>> 09/12/12 09:28:24 09/13/12 09:28:24
>> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>> 09/12/12 09:28:24 09/13/12 09:28:24
>> HTTP/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
>> 09/12/12 09:28:26 09/13/12 09:28:24
>> DNS/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
>>
>>
>> I don't think this is an expected behavior, installer should use a CCACHE
>> separate from user's default.
>
> Definitely,
> a private install ccache should be used.
> Please open a ticket.
>
> Simo.
>
This is caused by a patch pushed today (in a scope of a fix for ticket 2982).
Petr Viktorin is working on a fix which will be sent soon, so I think that
ticket is not necessary in this case.
Martin
More information about the Freeipa-devel
mailing list