[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Martin Kosek
mkosek at redhat.com
Tue Mar 12 14:14:23 UTC 2013
On 03/08/2013 03:01 PM, Tomas Babej wrote:
> On Thu 07 Mar 2013 11:01:33 PM CET, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 03/07/2013 04:27 PM, Tomas Babej wrote:
>>>> On 03/07/2013 04:12 PM, Petr Viktorin wrote:
>>>>> Thanks! I just have two more very minor nitpicks.
>>>>>
>>>>> On 03/06/2013 01:04 PM, Tomas Babej wrote:
>>>>>> On 03/05/2013 02:10 PM, Petr Viktorin wrote:
>>>>>>> Thanks! The mechanism works, but see below.
>>>>>>>
>>>>>>> This is a RFE so it needs a design document.
>>>>>>>
>>>>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>>>>
>>>>> Please also add the link to the commit message.
>>>>>
>>>>>
>>>>> I think you answered Petr²'s security questions adequately.
>>>>> Petr, note that this is a client-side change; if the keytab is
>>>>> compromised the attacker can do all this manually anyway.
>>>>>
>>>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>>>> b/ipa-client/ipa-install/ipa-client-install
>>>>>> index
>>>>>> 308c3f8d0ec39e1e7f048d37a34738bf6a4853e2..a16a6b2d7cddbf7085b27c3835a4676919a8a15b
>>>>>>
>>>>>>
>>>>>>
>>>>>> 100755
>>>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>>>> @@ -104,6 +104,8 @@ def parse_options():
>>>>> [...]
>>>>>> @@ -1691,8 +1693,12 @@ def install(options, env, fstore, statestore):
>>>>>> except ipaclient.ntpconf.NTPConfigurationError:
>>>>>> pass
>>>>>>
>>>>>> - if options.unattended and (options.password is None and
>>>>>> options.principal is None and options.prompt_password is False) and
>>>>>> not options.on_master:
>>>>>> - root_logger.error("One of password and principal are
>>>>>> required.")
>>>>>> + if options.unattended and ((options.password is None and
>>>>>> + options.principal is None and
>>>>>> + options.keytab is None and
>>>>>> + options.prompt_password is False)\
>>>>>> + and not options.on_master):
>>>>>
>>>>> Please also remove the inner parentheses and the backslash.
>>>>>
>>>> Both fixed, updated patch attached.
>>>>
>>>> Tomas
>>>
>>> ACK, thanks!
>>>
>>
>> This needs related man page updates before we can push it.
>>
>
> Man pages updated:
>
> [tbabej at thinkpad7 freeipa]$ git diff
> diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-ins
> [...]
> +\fB\-k\fR, \fB\-\-keytab\fR
> +Path to backed up host keytab from previous enrollment.
> +.TP
> [...]
> diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1
> [...]
> +\fB\-f,\-\-force\fR
> +Force enrolling the host even if host entry exists.
> +.TP
>
>> Can you update the design to specifically include that the old
>> certificate needs to be revoked, not just that a new certificate be
>> issued (sort of implied, and it worked in my testing)?
>
> I updated the design page accordingly. However, shouldn't be this handled by
> server side automatically?
>
>> rob
>
> Updated patch attached.
>
I see the requested man page is there, the patches look OK now.
Thus, second ACK, pushed to master.
Martin
More information about the Freeipa-devel
mailing list