diff options
author | Simo Sorce <simo@redhat.com> | 2015-07-28 11:31:16 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-10-15 14:24:33 +0200 |
commit | 5761f73e2598dc404a3b51c6810e3dd250d2ba11 (patch) | |
tree | 8abaf4037e15efef98d464d77d75f68cec9ffb29 | |
parent | f7d1e4f9a21b0f3e63bd3bcd4a17acf749e0b208 (diff) | |
download | freeipa-5761f73e2598dc404a3b51c6810e3dd250d2ba11.tar.gz freeipa-5761f73e2598dc404a3b51c6810e3dd250d2ba11.tar.xz freeipa-5761f73e2598dc404a3b51c6810e3dd250d2ba11.zip |
Allow ipa-replica-conncheck to use default creds
If the user has already run kinit try to use those credentials.
The user can always override by explicitly passing the -p flag.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rwxr-xr-x | install/tools/ipa-replica-conncheck | 105 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 7 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 14 |
3 files changed, 83 insertions, 43 deletions
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 9050c8e08..e4c259b7e 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -40,11 +40,12 @@ import errno from socket import SOCK_STREAM, SOCK_DGRAM import distutils.spawn from ipaplatform.paths import paths +import gssapi CONNECT_TIMEOUT = 5 RESPONDERS = [ ] QUIET = False -CCACHE_FILE = paths.CONNCHECK_CCACHE +CCACHE_FILE = None KRB5_CONFIG = None class SshExec(object): @@ -64,12 +65,22 @@ class SshExec(object): self.cmd, '-o StrictHostKeychecking=no', '-o UserKnownHostsFile=%s' % tmpf.name, + '-o GSSAPIAuthentication=yes', '%s@%s' % (self.user, self.addr), command ] if verbose: cmd.insert(1, '-v') - env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE} + env = dict() + if KRB5_CONFIG is not None: + env['KRB5_CONFIG'] = KRB5_CONFIG + elif 'KRB5_CONFIG' in os.environ: + env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG'] + if CCACHE_FILE is not None: + env['KRB5CCNAME'] = CCACHE_FILE + elif 'KRB5CCNAME' in os.environ: + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] + return ipautil.run(cmd, env=env, raiseonerr=False) @@ -110,7 +121,7 @@ def parse_options(): replica_group.add_option("-k", "--kdc", dest="kdc", help="Master KDC. Defaults to master address") replica_group.add_option("-p", "--principal", dest="principal", - default="admin", help="Principal to use to log in to remote master") + default=None, help="Principal to use to log in to remote master") replica_group.add_option("-w", "--password", dest="password", sensitive=True, help="Password for the principal"), parser.add_option_group(replica_group) @@ -352,45 +363,63 @@ def main(): remote_check_opts = ['--replica %s' % options.hostname] if options.auto_master_check: - (krb_fd, krb_name) = tempfile.mkstemp() - os.close(krb_fd) - configure_krb5_conf(options.realm, options.kdc, krb_name) - global KRB5_CONFIG - KRB5_CONFIG = krb_name - print_info("Get credentials to log in to remote master") - if options.principal.find('@') == -1: - principal = '%s@%s' % (options.principal, options.realm) - user = options.principal + cred = None + if options.principal is None: + # Check if ccache is available + try: + root_logger.debug('KRB5CCNAME set to %s' % + os.environ.get('KRB5CCNAME', None)) + # get default creds, will raise if none found + cred = gssapi.creds.Credentials() + principal = str(cred.name) + except gssapi.raw.misc.GSSError as e: + root_logger.debug('Failed to find default ccache: %s' % e) + # Use admin as the default principal + principal = "admin" else: principal = options.principal - user = options.principal.partition('@')[0] - - if options.password: - password=options.password - else: - password = installutils.read_password(principal, confirm=False, - validate=False, retry=False) - if password is None: - sys.exit("Principal password required") - - - stderr='' - (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal], - env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, - stdin=password, raiseonerr=False) - if returncode != 0: - raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr) - - # Verify kinit was actually successful - stderr='' - (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO, - 'host/%s' % options.master], - env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, - raiseonerr=False) - if returncode != 0: - raise RuntimeError("Could not get ticket for master server: %s" % stderr) + if cred is None: + (krb_fd, krb_name) = tempfile.mkstemp() + os.close(krb_fd) + configure_krb5_conf(options.realm, options.kdc, krb_name) + global KRB5_CONFIG + KRB5_CONFIG = krb_name + (ccache_fd, ccache_name) = tempfile.mkstemp() + os.close(ccache_fd) + global CCACHE_FILE + CCACHE_FILE = ccache_name + + if principal.find('@') == -1: + principal = '%s@%s' % (principal, options.realm) + + if options.password: + password=options.password + else: + password = installutils.read_password(principal, confirm=False, + validate=False, retry=False) + if password is None: + sys.exit("Principal password required") + + + stderr='' + (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal], + env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, + stdin=password, raiseonerr=False) + if returncode != 0: + raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr) + + # Verify kinit was actually successful + stderr='' + (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO, + 'host/%s' % options.master], + env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, + raiseonerr=False) + if returncode != 0: + raise RuntimeError("Could not get ticket for master server: %s" % stderr) + + user = principal.partition('@')[0] ssh = SshExec(user, options.master) print_info("Check SSH connection to remote master") diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 858e3f36b..45dea27bb 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -64,7 +64,8 @@ STRIP_ATTRS = ('modifiersName', def replica_conn_check(master_host, host_name, realm, check_ca, - dogtag_master_ds_port, admin_password=None): + dogtag_master_ds_port, admin_password=None, + principal="admin"): """ Check the ports used by the replica both locally and remotely to be sure that replication will work. @@ -74,10 +75,12 @@ def replica_conn_check(master_host, host_name, realm, check_ca, print("Run connection check to master") args = [paths.IPA_REPLICA_CONNCHECK, "--master", master_host, "--auto-master-check", "--realm", realm, - "--principal", "admin", "--hostname", host_name] nolog=tuple() + if principal is not None: + args.extend(["--principal", principal]) + if admin_password: args.extend(["--password", admin_password]) nolog=(admin_password,) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 13573f404..88f016179 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -821,6 +821,7 @@ def promote_check(installer): installutils.verify_fqdn(config.master_host_name, options.no_host_dns) # Check if ccache is available + default_cred = None try: root_logger.debug('KRB5CCNAME set to %s' % os.environ.get('KRB5CCNAME', None)) @@ -853,8 +854,8 @@ def promote_check(installer): stdin = None if principal.find('@') == -1: principal = '%s@%s' % (principal, config.realm_name) - if options.password is not None: - stdin = options.password + if options.admin_password is not None: + stdin = options.admin_password else: if not options.unattended: try: @@ -876,6 +877,9 @@ def promote_check(installer): else: stdin = sys.stdin.readline() + # set options.admin_password for future use + options.admin_password = stdin + try: ipautil.kinit_password(principal, stdin, ccache_name) except RuntimeError as e: @@ -1030,9 +1034,13 @@ def promote_check(installer): # check connection if not options.skip_conncheck: + p = None + if default_cred is None: + p = principal replica_conn_check( config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, dogtag.Dogtag10Constants.DS_PORT) + options.setup_ca, dogtag.Dogtag10Constants.DS_PORT, + options.admin_password, principal=p) if not ipautil.file_exists(cafile): raise RuntimeError("CA cert file is not available.") |