[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Tomas Babej
tbabej at redhat.com
Wed Mar 6 12:04:31 UTC 2013
On 03/05/2013 02:10 PM, Petr Viktorin wrote:
> Thanks! The mechanism works, but see below.
>
> This is a RFE so it needs a design document.
>
http://freeipa.org/page/V3/Client_install_using_keytab
> For context, I'll include your comment from trac:
> > From my investigation I would conclude that we cannot support client
> > install using backed-up keytab when the host has been unenrolled
> > (e.g. after running ipa-client-install --uninstall). When
> > unenrolling, we disable the host entry in LDAP and therefore
> > effectively disable the Kerberos key, SSL certificate and all
> > services of a host.
> >
> > We should only support reenrollment for clients that have not been
> > unenrolled, and therefore still have valid Kerberos key.
>
> I think it also makes sense from a security point of view: if the
> machine is compromised, I'd expect that after unenrolling it can't
> come back on its own.
>
Yes, that's also an issue here.
>> A new option --keytab has been added to ipa-client-install. This
>> can be used to specify path to the keytab and can be used instead
>> of -p or -w options.
>
> With the patch this only works with --unatended; in interactive mode
> it still asks for the admin username and password.
Fixed.
>
>> A host that has been previously unenrolled and does not have its
>> host entry disabled or removed, can be re-enrolled using
>> a previously backed up keytab file.
>
> I'd not say "unenrolled" here, unenrolling from IPA disables the host.
Reworded.
>
> [...]
>> diff --git a/ipa-client/ipa-install/ipa-client-install
>> b/ipa-client/ipa-install/ipa-client-install
>> index
>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..e78b36a3c386184dc0cb1c83d8169890e3fa75da
>> 100755
>> --- a/ipa-client/ipa-install/ipa-client-install
>> +++ b/ipa-client/ipa-install/ipa-client-install
>> @@ -104,6 +104,8 @@ def parse_options():
>> help="principal to use to join the IPA realm"),
>> basic_group.add_option("-w", "--password", dest="password",
>> sensitive=True,
>> help="password to join the IPA realm (assumes
>> bulk password unless principal is also set)"),
>> + basic_group.add_option("-k", "--keytab", dest="keytab",
>> sensitive=True,
>> + help="path to backed up keytab from previous
>> enrollment"),
>
> The keytab filename is not sensitive.
Fixed. I misunderstood what the option stands for.
>
> [...]
>>
>> - if options.unattended and (options.password is None and
>> options.principal is None and options.prompt_password is False) and
>> not options.on_master:
>> + if options.unattended and (options.password is None and
>> + options.principal is None and
>> + options.keytab is None and
>> + options.prompt_password is False)\
>> + and not options.on_master:
>
> Style issue: Wrap everything in the parentheses instead of using the
> backslash.
Fixed.
>
> [...]
>> + if returncode != 0:
>> + root_logger.error("Kerberos authentication
>> failed "
>> + "using keytab: %s" %
>> options.keytab)
>
Fixed.
> Use a comma instead of the %
>
> [...]
>
> I'm not a C expert but the ipa-join changes look fine.
>
Thanks for the review, updated patches are attached.
Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130306/419c8d24/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0037-2-Add-support-for-re-enrolling-hosts-using-keytab.patch
Type: text/x-patch
Size: 8344 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130306/419c8d24/attachment.bin>
More information about the Freeipa-devel
mailing list