summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install/ipa-client-install
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-03-21 14:50:05 +0100
committerMartin Kosek <mkosek@redhat.com>2011-05-17 08:56:22 +0200
commit95b4040f6b4f43b864dce86648f09a1402889af9 (patch)
treee198e1845ad099fc60117296ed812c72d5847101 /ipa-client/ipa-install/ipa-client-install
parenta7f9814ab702cfa42988e47e80f44b57a195ad1e (diff)
downloadfreeipa-95b4040f6b4f43b864dce86648f09a1402889af9.zip
freeipa-95b4040f6b4f43b864dce86648f09a1402889af9.tar.gz
freeipa-95b4040f6b4f43b864dce86648f09a1402889af9.tar.xz
KDC autodiscovery may fail when domain is not realm
When ipa-client-install autodiscovers IPA server values it doesn't fill the fixed KDC address to Kerberos configuration file. However, when realm != domain or the autodiscovered values are overridden, installation may fail because it cannot find the KDC. This patch adds a failover to use static KDC address in case when such an issue occurs. https://fedorahosted.org/freeipa/ticket/1100
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
-rwxr-xr-xipa-client/ipa-install/ipa-client-install15
1 files changed, 10 insertions, 5 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2bcd4b9..79ed6fa 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -386,7 +386,7 @@ def hardcode_ldap_server(cli_server):
return
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment(" = ")
@@ -399,7 +399,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d
#[libdefaults]
libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
- if not dnsok or options.force:
+ if not dnsok or not cli_kdc or options.force:
libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
else:
@@ -413,7 +413,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d
opts.append({'name':'empty', 'type':'empty'})
#the following are necessary only if DNS discovery does not work
- if not dnsok or options.force:
+ if not dnsok or not cli_kdc or options.force:
#[realms]
kropts =[{'name':'kdc', 'type':'option', 'value':cli_server+':88'},
{'name':'admin_server', 'type':'option', 'value':cli_server+':749'},
@@ -716,6 +716,11 @@ def main():
print >>sys.stderr, "due to network or firewall settings."
return ret
+ cli_kdc = ds.getKDCName()
+ if dnsok and not cli_kdc:
+ print >>sys.stderr, "DNS domain '%s' is not configured for automatic KDC address lookup." % ds.getRealmName().lower()
+ print >>sys.stderr, "KDC address will be set to fixed value.\n"
+
if dnsok:
print "Discovery was successful!"
elif not options.unattended:
@@ -772,7 +777,7 @@ def main():
try:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
- if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, krb_name):
+ if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
sys.exit("Test kerberos configuration failed")
env['KRB5_CONFIG'] = krb_name
join_args = ["/usr/sbin/ipa-join", "-s", cli_server]
@@ -864,7 +869,7 @@ def main():
if not options.on_master:
# Configure krb5.conf
fstore.backup_file("/etc/krb5.conf")
- if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, "/etc/krb5.conf"):
+ if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, "/etc/krb5.conf"):
return 1
print "Configured /etc/krb5.conf for IPA realm " + cli_realm