Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

Martin Kosek Fri, 21 Oct 2011 02:33:39 -0700

On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote:
> Hello,
> 
> Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
> 
> Best regards,
> Lars


Hello Lars,

thank you for your investigation of the problem and the patch!

I had to refactor the patch a little, your patch updated just the
temporary krb5.conf, not the one put permanently to /etc/krb5.conf.

I also moved DNS update before the certmonger is being configured.
Otherwise certmonger may fail because the client does not have proper
DNS record.

Patch attached.

Martin

>From 180b06667b966db7ab79d92fa2ca0fce56efe2c6 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Fri, 21 Oct 2011 11:18:26 +0200
Subject: [PATCH] Fix client krb5 domain mapping and DNS

Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.

Based on Lars Sjostrom patch.

https://fedorahosted.org/freeipa/ticket/2006
---
 ipa-client/ipa-install/ipa-client-install |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 628652efcf2067ec1997a8656d5ff471dc3baa90..2f7f1ff55f455f8750f7e22de5d8973a6a342295 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server):
 
     return
 
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, client_domain):
 
     krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
     krbconf.setOptionAssignment(" = ")
@@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
     #[domain_realm]
     dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
               {'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+    #add client domain mapping if different from server domain
+    if cli_domain != client_domain:
+        dropts.append({'name':'.'+client_domain, 'type':'option', 'value':cli_realm})
+        dropts.append({'name':client_domain, 'type':'option', 'value':cli_realm})
+
     opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
     opts.append({'name':'empty', 'type':'empty'})
 
@@ -895,6 +901,8 @@ def install(options, env, fstore, statestore):
             cli_domain = ds.getDomainName()
             logging.debug("will use domain: %s\n", cli_domain)
 
+    client_domain = hostname[hostname.find(".")+1:]
+
     if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
             or not ds.getServerName():
         logging.debug("IPA Server not found")
@@ -1015,7 +1023,7 @@ def install(options, env, fstore, statestore):
                 print "Unable to sync time with IPA NTP server, assuming the time is in sync."
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
-            if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
+            if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, client_domain):
                 print "Test kerberos configuration failed"
                 return CLIENT_INSTALL_ERROR
             env['KRB5_CONFIG'] = krb_name
@@ -1115,17 +1123,15 @@ def install(options, env, fstore, statestore):
     if not options.on_master:
         # Configure krb5.conf
         fstore.backup_file("/etc/krb5.conf")
-        if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, "/etc/krb5.conf"):
+        if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, "/etc/krb5.conf", client_domain):
             return CLIENT_INSTALL_ERROR
 
         print "Configured /etc/krb5.conf for IPA realm " + cli_realm
 
-        configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
-
-    #Try to update the DNS records, failure is not fatal
-    if not options.on_master:
         client_dns(cli_server, hostname, options.dns_updates)
 
+        configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
+
     #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed)
     nscd = ipaservices.knownservices.nscd
     if nscd.is_installed():
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain

Reply via email to