[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Tomas Babej
tbabej at redhat.com
Thu Mar 7 15:58:04 UTC 2013
On Thu 07 Mar 2013 04:54:02 PM CET, Petr Viktorin wrote:
> On 03/07/2013 04:27 PM, Tomas Babej wrote:
>> On 03/07/2013 04:12 PM, Petr Viktorin wrote:
>>> Thanks! I just have two more very minor nitpicks.
>>>
>>> On 03/06/2013 01:04 PM, Tomas Babej wrote:
>>>> On 03/05/2013 02:10 PM, Petr Viktorin wrote:
>>>>> Thanks! The mechanism works, but see below.
>>>>>
>>>>> This is a RFE so it needs a design document.
>>>>>
>>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>>
>>> Please also add the link to the commit message.
>>>
>>>
>>> I think you answered Petr²'s security questions adequately.
>>> Petr, note that this is a client-side change; if the keytab is
>>> compromised the attacker can do all this manually anyway.
>>>
>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>> b/ipa-client/ipa-install/ipa-client-install
>>>> index
>>>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
>>>>
>>>> 100755
>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>> @@ -104,6 +104,8 @@ def parse_options():
>>> [...]
>>>> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
>>>> except ipaclient.ntpconf.NTPConfigurationError:
>>>> pass
>>>>
>>>> - if options.unattended and (options.password is None and
>>>> options.principal is None and options.prompt_password is False) and
>>>> not options.on_master:
>>>> - root_logger.error("One of password and principal are
>>>> required.")
>>>> + if options.unattended and ((options.password is None and
>>>> + options.principal is None and
>>>> + options.keytab is None and
>>>> + options.prompt_password is False)\
>>>> + and not options.on_master):
>>>
>>> Please also remove the inner parentheses and the backslash.
>>>
>> Both fixed, updated patch attached.
>>
>> Tomas
>
> ACK, thanks!
>
With your blessing, I moved the link to the design page from V3
proposals to V3 designs.
Tomas
More information about the Freeipa-devel
mailing list