[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Petr Viktorin
pviktori at redhat.com
Thu Mar 7 15:54:02 UTC 2013
On 03/07/2013 04:27 PM, Tomas Babej wrote:
> On 03/07/2013 04:12 PM, Petr Viktorin wrote:
>> Thanks! I just have two more very minor nitpicks.
>>
>> On 03/06/2013 01:04 PM, Tomas Babej wrote:
>>> On 03/05/2013 02:10 PM, Petr Viktorin wrote:
>>>> Thanks! The mechanism works, but see below.
>>>>
>>>> This is a RFE so it needs a design document.
>>>>
>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>
>> Please also add the link to the commit message.
>>
>>
>> I think you answered Petr²'s security questions adequately.
>> Petr, note that this is a client-side change; if the keytab is
>> compromised the attacker can do all this manually anyway.
>>
>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>> b/ipa-client/ipa-install/ipa-client-install
>>> index
>>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
>>> 100755
>>> --- a/ipa-client/ipa-install/ipa-client-install
>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>> @@ -104,6 +104,8 @@ def parse_options():
>> [...]
>>> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
>>> except ipaclient.ntpconf.NTPConfigurationError:
>>> pass
>>>
>>> - if options.unattended and (options.password is None and
>>> options.principal is None and options.prompt_password is False) and
>>> not options.on_master:
>>> - root_logger.error("One of password and principal are
>>> required.")
>>> + if options.unattended and ((options.password is None and
>>> + options.principal is None and
>>> + options.keytab is None and
>>> + options.prompt_password is False)\
>>> + and not options.on_master):
>>
>> Please also remove the inner parentheses and the backslash.
>>
> Both fixed, updated patch attached.
>
> Tomas
ACK, thanks!
--
Petr³
More information about the Freeipa-devel
mailing list