[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

Tomas Babej tbabej at redhat.com
Fri Mar 8 14:01:45 UTC 2013 

On Thu 07 Mar 2013 11:01:33 PM CET, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 03/07/2013 04:27 PM, Tomas Babej wrote:
>>> On 03/07/2013 04:12 PM, Petr Viktorin wrote:
>>>> Thanks! I just have two more very minor nitpicks.
>>>>
>>>> On 03/06/2013 01:04 PM, Tomas Babej wrote:
>>>>> On 03/05/2013 02:10 PM, Petr Viktorin wrote:
>>>>>> Thanks! The mechanism works, but see below.
>>>>>>
>>>>>> This is a RFE so it needs a design document.
>>>>>>
>>>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>>>
>>>> Please also add the link to the commit message.
>>>>
>>>>
>>>> I think you answered Petr²'s security questions adequately.
>>>> Petr, note that this is a client-side change; if the keytab is
>>>> compromised the attacker can do all this manually anyway.
>>>>
>>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>>> b/ipa-client/ipa-install/ipa-client-install
>>>>> index
>>>>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
>>>>>
>>>>>
>>>>> 100755
>>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>>> @@ -104,6 +104,8 @@ def parse_options():
>>>> [...]
>>>>> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
>>>>>           except ipaclient.ntpconf.NTPConfigurationError:
>>>>>               pass
>>>>>
>>>>> -    if options.unattended and (options.password is None and
>>>>> options.principal is None and options.prompt_password is False) and
>>>>> not options.on_master:
>>>>> -        root_logger.error("One of password and principal are
>>>>> required.")
>>>>> +    if options.unattended and ((options.password is None and
>>>>> +                                options.principal is None and
>>>>> +                                options.keytab is None and
>>>>> +                                options.prompt_password is False)\
>>>>> +                                and not options.on_master):
>>>>
>>>> Please also remove the inner parentheses and the backslash.
>>>>
>>> Both fixed, updated patch attached.
>>>
>>> Tomas
>>
>> ACK, thanks!
>>
>
> This needs related man page updates before we can push it.
>

Man pages updated:

[tbabej at thinkpad7 freeipa]$ git diff
diff --git a/ipa-client/man/ipa-client-install.1 
b/ipa-client/man/ipa-client-ins
[...]
+\fB\-k\fR, \fB\-\-keytab\fR
+Path to backed up host keytab from previous enrollment.
+.TP
[...]
diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1
[...]
+\fB\-f,\-\-force\fR
+Force enrolling the host even if host entry exists.
+.TP

> Can you update the design to specifically include that the old
> certificate needs to be revoked, not just that a new certificate be
> issued (sort of implied, and it worked in my testing)?

I updated the design page accordingly. However, shouldn't be this 
handled by server side automatically?

> rob

Updated patch attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0037-4-Add-support-for-re-enrolling-hosts-using-keytab.patch
Type: text/x-patch
Size: 9878 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130308/1552e20e/attachment.bin>

More information about the Freeipa-devel mailing list