[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Petr Viktorin
pviktori at redhat.com
Tue Mar 5 13:10:17 UTC 2013
On 03/04/2013 06:27 PM, Tomas Babej wrote:
> Hi,
>
> A host that has been previously unenrolled and does not have its
> host entry disabled or removed, can be re-enrolled using
> a previously backed up keytab file.
Thanks! The mechanism works, but see below.
This is a RFE so it needs a design document.
For context, I'll include your comment from trac:
> From my investigation I would conclude that we cannot support client
> install using backed-up keytab when the host has been unenrolled
> (e.g. after running ipa-client-install --uninstall). When
> unenrolling, we disable the host entry in LDAP and therefore
> effectively disable the Kerberos key, SSL certificate and all
> services of a host.
>
> We should only support reenrollment for clients that have not been
> unenrolled, and therefore still have valid Kerberos key.
I think it also makes sense from a security point of view: if the
machine is compromised, I'd expect that after unenrolling it can't come
back on its own.
> A new option --keytab has been added to ipa-client-install. This
> can be used to specify path to the keytab and can be used instead
> of -p or -w options.
With the patch this only works with --unatended; in interactive mode it
still asks for the admin username and password.
> A new option -f has been added to ipa-join. It forces client to
> join even if the host entry already exits. A new certificate,
> ssh keys are generated, ipaUniqueID stays the same.
> https://fedorahosted.org/freeipa/ticket/3374
>
> Attaching a comparison between host entry states
> (enrolled using principal and reenrolled using keytab).
>
> Tomas
> freeipa-tbabej-0037-Add-support-for-re-enrolling-hosts-using-keytab.patch
>
>
>>From e576009bb7a93daec1cbc4ef94785017f80b2756 Mon Sep 17 00:00:00 2001
> From: Tomas Babej<tbabej at redhat.com>
> Date: Tue, 26 Feb 2013 13:20:13 +0100
> Subject: [PATCH] Add support for re-enrolling hosts using keytab
>
> A host that has been previously unenrolled and does not have its
> host entry disabled or removed, can be re-enrolled using
> a previously backed up keytab file.
I'd not say "unenrolled" here, unenrolling from IPA disables the host.
[...]
> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
> index 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da 100755
> --- a/ipa-client/ipa-install/ipa-client-install
> +++ b/ipa-client/ipa-install/ipa-client-install
> @@ -104,6 +104,8 @@ def parse_options():
> help="principal to use to join the IPA realm"),
> basic_group.add_option("-w", "--password", dest="password", sensitive=True,
> help="password to join the IPA realm (assumes bulk password unless principal is also set)"),
> + basic_group.add_option("-k", "--keytab", dest="keytab", sensitive=True,
> + help="path to backed up keytab from previous enrollment"),
The keytab filename is not sensitive.
[...]
>
> - if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master:
> + if options.unattended and (options.password is None and
> + options.principal is None and
> + options.keytab is None and
> + options.prompt_password is False)\
> + and not options.on_master:
Style issue: Wrap everything in the parentheses instead of using the
backslash.
[...]
> + if returncode != 0:
> + root_logger.error("Kerberos authentication failed "
> + "using keytab: %s" % options.keytab)
Use a comma instead of the %
[...]
I'm not a C expert but the ipa-join changes look fine.
--
Petr³
More information about the Freeipa-devel
mailing list