diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-05-02 15:36:04 +0200 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-05-01 20:38:55 -0400 |
| commit | 1267d5731d31c80e3b6d06397e23f7070d7eb508 (patch) | |
| tree | 80bcea9c19ae9b91a32e721d67fbb2b537f78556 | |
| parent | 6321c5ba87ff916bfff7fa15d20cb6d1a18f20f0 (diff) | |
| download | freeipa-1267d5731d31c80e3b6d06397e23f7070d7eb508.tar.gz freeipa-1267d5731d31c80e3b6d06397e23f7070d7eb508.tar.xz freeipa-1267d5731d31c80e3b6d06397e23f7070d7eb508.zip | |
Make ipa 2.2 client capable of joining an older server
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.
This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.
Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.
https://fedorahosted.org/freeipa/ticket/2697
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7133cce04..67279b3ed 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1374,14 +1374,36 @@ def install(options, env, fstore, statestore): os.environ['KRB5CCNAME'] = CCACHE_FILE try: - ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s' % hostname]) - api.Backend.xmlclient.connect() + ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (hostname, cli_realm)]) except CalledProcessError, e: print >>sys.stderr, "Failed to obtain host TGT." # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP, # abort installation and rollback changes return CLIENT_INSTALL_ERROR + # Now, we have a TGT, lets try to connect to the server's XML-RPC interface + try: + api.Backend.xmlclient.connect() + except errors.KerberosError, e: + root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e)) + root_logger.debug('Trying with delegate=True') + try: + api.Backend.xmlclient.connect(delegate=True) + root_logger.debug('Connection with delegate=True successful') + + # The remote server is not capable of Kerberos S4U2Proxy delegation + # This features is implemented in IPA server version 2.2 and higher + print >>sys.stderr, "Target IPA server has a lower version that the enrolled client" + print >>sys.stderr, "Some capabilities including the ipa command capability may not be available" + except errors.PublicError, e2: + root_logger.debug('Second connect with delegate=True also failed: %s' % str(e2)) + print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2) + return CLIENT_INSTALL_ERROR + except errors.PublicError, e: + root_logger.debug('Cannot connect to the server due to generic error: %s' % str(e)) + print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e) + return CLIENT_INSTALL_ERROR + if not options.on_master: client_dns(cli_server, hostname, options.dns_updates) configure_certmonger(fstore, subject_base, cli_realm, hostname, options) |