diff options
author | Florence Blanc-Renaud <frenaud@redhat.com> | 2016-06-01 17:42:48 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-17 17:31:08 +0200 |
commit | 4a7345e44804cf14f664814a2ab60f7a43ffa4ee (patch) | |
tree | 4d8d7e60daf545c74e665935b8ad5294a086c0d7 /install/tools | |
parent | d70e52b61b35f42ca2d34ef05310fd2c18c882ce (diff) | |
download | freeipa-4a7345e44804cf14f664814a2ab60f7a43ffa4ee.tar.gz freeipa-4a7345e44804cf14f664814a2ab60f7a43ffa4ee.tar.xz freeipa-4a7345e44804cf14f664814a2ab60f7a43ffa4ee.zip |
Always qualify requests for admin in ipa-replica-conncheck
ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes <principal>@<master hostname> \
echo OK
The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal admin@EXAMPLE.COM).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.
The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes -o User=<principal> \
<master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master
https://fedorahosted.org/freeipa/ticket/5812
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-replica-conncheck | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdf08d631..991f4e429 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -66,7 +66,9 @@ class SshExec(object): '-o StrictHostKeychecking=no', '-o UserKnownHostsFile=%s' % tmpf.name, '-o GSSAPIAuthentication=yes', - '%s@%s' % (self.user, self.addr), command + '-o User=%s' % self.user, + '%s' % self.addr, + command ] if verbose: cmd.insert(1, '-v') @@ -517,7 +519,8 @@ def main(): except Exception: print_info("Retrying using SSH...") - user = principal.partition('@')[0] + # Ticket 5812 Always qualify requests for admin + user = principal ssh = SshExec(user, options.master) print_info("Check SSH connection to remote master") |