[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Tomas Babej
tbabej at redhat.com
Thu Mar 7 15:27:48 UTC 2013
On 03/07/2013 04:12 PM, Petr Viktorin wrote:
> Thanks! I just have two more very minor nitpicks.
>
> On 03/06/2013 01:04 PM, Tomas Babej wrote:
>> On 03/05/2013 02:10 PM, Petr Viktorin wrote:
>>> Thanks! The mechanism works, but see below.
>>>
>>> This is a RFE so it needs a design document.
>>>
>> http://freeipa.org/page/V3/Client_install_using_keytab
>
> Please also add the link to the commit message.
>
>
> I think you answered Petr²'s security questions adequately.
> Petr, note that this is a client-side change; if the keytab is
> compromised the attacker can do all this manually anyway.
>
>> diff --git a/ipa-client/ipa-install/ipa-client-install
>> b/ipa-client/ipa-install/ipa-client-install
>> index
>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
>> 100755
>> --- a/ipa-client/ipa-install/ipa-client-install
>> +++ b/ipa-client/ipa-install/ipa-client-install
>> @@ -104,6 +104,8 @@ def parse_options():
> [...]
>> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
>> except ipaclient.ntpconf.NTPConfigurationError:
>> pass
>>
>> - if options.unattended and (options.password is None and
>> options.principal is None and options.prompt_password is False) and
>> not options.on_master:
>> - root_logger.error("One of password and principal are
>> required.")
>> + if options.unattended and ((options.password is None and
>> + options.principal is None and
>> + options.keytab is None and
>> + options.prompt_password is False)\
>> + and not options.on_master):
>
> Please also remove the inner parentheses and the backslash.
>
Both fixed, updated patch attached.
Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0037-3-Add-support-for-re-enrolling-hosts-using-keytab.patch
Type: text/x-patch
Size: 8406 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130307/73ea6aab/attachment.bin>
More information about the Freeipa-devel
mailing list