[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Petr Viktorin
pviktori at redhat.com
Wed Sep 12 16:02:12 UTC 2012
On 09/12/2012 04:04 PM, Martin Kosek wrote:
> On 09/12/2012 02:58 PM, Jan Cholasta wrote:
>> Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
>>> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
>>>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>>>>> Petr Viktorin wrote:
>>>>>> When installing the client, we need to take extra case to only contact
>>>>>> the one server we're installing against. Otherwise, in the real world,
>>>>>> we might hit a server that hasn't replicated info about the client yet.
>>>>>>
>>>>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>>>>> didn't have the host principal yet.
>>>>>>
>>>>>>
>>>>>> To reproduce:
>>>>>>
>>>>>> - Install a "master" and "replica"
>>>>>> - Change the Kerberos DNS entries to only point to the replica:
>>>>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>>>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>>>>> $REPLICA_HOSTNAME"
>>>>>> done
>>>>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>>>>> $MASTER_HOSTNAME"
>>>>>> ipa dnsrecord-find $DOMAIN # check
>>>>>> - Sever communication between the hosts to disable replication:
>>>>>> (on master)
>>>>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>>>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>>>>> install client
>>>>>>
>>>>>> This will fail without the patch.
>>>>>>
>>>>>>
>>>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>>>>> explain the bug. I learned a lot.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2982
>>>>>
>>>>> ACK, pushed to master and ipa-3-0
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> The patch broke server installs. Please revert it if you're having
>>>> trouble while I look into it.
>>>>
>>>>
>>>
>>> I messed up and removed the kinit call entirely when installing on
>>> master. Attaching a fix.
>>>
>>
>> Works for me, ACK.
>>
>> Honza
>>
>
> When the server installation is complete, I was surprised to see I have now
> host credentials in my CCACHE:
>
> # ipa-server-install --setup-dns
> ...
> ==============================================================================
> Setup complete
>
> Next steps:
> 1. You must make sure these network ports are open:
> TCP Ports:
> * 80, 443: HTTP/HTTPS
> * 389, 636: LDAP/LDAPS
> * 88, 464: kerberos
> * 53: bind
> UDP Ports:
> * 88, 464: kerberos
> * 53: bind
> * 123: ntp
>
> 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> and the web user interface.
>
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
>
> Valid starting Expires Service principal
> 09/12/12 09:28:24 09/13/12 09:28:24
> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
> 09/12/12 09:28:24 09/13/12 09:28:24
> HTTP/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
> 09/12/12 09:28:26 09/13/12 09:28:24
> DNS/vm-086.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
>
>
> I don't think this is an expected behavior, installer should use a CCACHE
> separate from user's default.
>
> Martin
I need to slow down.
Thanks for the catch. Attaching another fix.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0080-02-Add-host-key-to-temporary-key-cache-on-server-instal.patch
Type: text/x-patch
Size: 1281 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/dbf0574f/attachment.bin>
More information about the Freeipa-devel
mailing list