[Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment

Alexander Bokovoy abokovoy at redhat.com
Thu Aug 11 12:06:48 UTC 2011 

On 11.08.2011 14:59, Martin Kosek wrote:
> On Thu, 2011-08-11 at 13:07 +0300, Alexander Bokovoy wrote:
>> On 11.08.2011 12:19, Martin Kosek wrote:
>>> This is a first shot for client enrollment fix. I had to pull the new
>>> version of xmlrpc-c from koji as it is not in updates-testing repo yet:
>>>
>>> http://koji.fedoraproject.org/koji/buildinfo?buildID=257947
>>>
>>> Fixed curl package is already in stable repos.
>>>
>>> Unfortunately, it seems that credentials are not delegated yet. I still
>>> get "did not receive Kerberos credentials" error from the server. Any
>>> idea what went wrong? Adding xmlrpc-c maintainer on CC.
>>
>> Looking at ipa-join.c patch, I noticed one thing:
>>> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
>>> index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644
>>> --- a/ipa-client/ipa-join.c
>>> +++ b/ipa-client/ipa-join.c
>>> @@ -149,6 +149,8 @@ callRPC(xmlrpc_env *            const envP,
>>>      curlXportParmsP->no_ssl_verifypeer = 1;
>>>      curlXportParmsP->no_ssl_verifyhost = 1;
>>>      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
>>> +    /* Enable GSSAPI credentials delegation */
>>> +    curlXportParmsP->gssapi_delegation = 1;
>>>  
>>>      clientparms.transport = "curl";
>>>      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
>>
>> I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation:
>>
>> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
>> index 95f2939..f6ca693 100644
>> --- a/ipa-client/ipa-join.c
>> +++ b/ipa-client/ipa-join.c
>> @@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
>>      curlXportParmsP->no_ssl_verifypeer = 1;
>>      curlXportParmsP->no_ssl_verifyhost = 1;
>>      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
>> +    /* Enable GSSAPI credentials delegation */
>> +    curlXportParmsP->gssapi_delegation = 1;
>>
>>      clientparms.transport = "curl";
>>      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
>>              curlXportParmsP;
>> -    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
>> +    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
>>      xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
>>                           &clientparms, sizeof(clientparms),
>>                           &clientP);
>>
> 
> Thanks, that was the problem. I wonder how I missed it. Attaching the
> updated patch, client enrollment on F-15 works.
ACK.
Should we wait until xmlrpc-c flies into F15 updates?
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list