[Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Jan Cholasta
jcholast at redhat.com
Wed Sep 12 12:58:18 UTC 2012
Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> When installing the client, we need to take extra case to only contact
>>>> the one server we're installing against. Otherwise, in the real world,
>>>> we might hit a server that hasn't replicated info about the client yet.
>>>>
>>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>>> didn't have the host principal yet.
>>>>
>>>>
>>>> To reproduce:
>>>>
>>>> - Install a "master" and "replica"
>>>> - Change the Kerberos DNS entries to only point to the replica:
>>>> for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>>> ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>>> $REPLICA_HOSTNAME"
>>>> done
>>>> ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>>> $MASTER_HOSTNAME"
>>>> ipa dnsrecord-find $DOMAIN # check
>>>> - Sever communication between the hosts to disable replication:
>>>> (on master)
>>>> iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>>> install client
>>>>
>>>> This will fail without the patch.
>>>>
>>>>
>>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>>> explain the bug. I learned a lot.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/2982
>>>
>>> ACK, pushed to master and ipa-3-0
>>>
>>> rob
>>>
>>
>> The patch broke server installs. Please revert it if you're having
>> trouble while I look into it.
>>
>>
>
> I messed up and removed the kinit call entirely when installing on
> master. Attaching a fix.
>
Works for me, ACK.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list