[Freeipa-devel] [freeipa PR#564][opened] Reconfigure Kerberos library config as the last step of KDC install

Discussion:

martbab

2017-03-09 17:19:01 UTC

URL: https://github.com/freeipa/freeipa/pull/564
Author: martbab
Title: #564: Reconfigure Kerberos library config as the last step of KDC install
Action: opened

PR body:
"""
During KDC installation, we overwrite the existing `/etc/krb5.conf` file
from client version to use only local KDC for client requests. However,
this means that services such as certmonger may try to kinit against
local KDC before it is up and running, resulting in subtle but serious
bugs.

The file should be updated only when KDC is set up properly and running.

https://pagure.io/freeipa/issue/6739
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/564/head:pr564
git checkout pr564

abbra

2017-03-09 17:20:52 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

abbra commented:
"""
LGTM.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285418391

martbab

2017-03-09 17:21:21 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Author: martbab
Title: #564: Reconfigure Kerberos library config as the last step of KDC install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/564/head:pr564
git checkout pr564

simo5

2017-03-09 17:34:33 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

simo5 commented:
"""
I do not think this is the correct fix/bug
What we want to do is to change kdc.conf to require certs only after we have installed them.
The KDC is already properly configured and running otherwise but fails to start on replica because certs are not there. We need it to not fail, not to allow certmonger to go oevr the network to other servers
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285422563

martbab

2017-03-09 17:42:16 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

martbab commented:
"""
But the certs are requested by certmonger on replica which tries to kinit against *the very same KDC that is being configured and is not running yet* because it was told so by the Kerberos config that was updated before starting KDC.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285424665

abbra

2017-03-09 17:49:29 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

abbra commented:
"""
@simo5 KDC starts just fine with missing certs. It disables PKINIT if certs aren't reachable. However, if KDC is not running at all, certmonger cannot complete the cert request at all.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285426600

simo5

2017-03-09 21:47:46 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

simo5 commented:
"""
@martbab @abbra see the pull request in #567
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285493983

martbab

2017-03-10 07:20:54 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

martbab commented:
"""
Ah right this won't work because on master there would be no library configuration for KDC deployment (realm, etc) that's why server install in travis crashed. Closing this PR as #567 superseds it.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285596698

martbab

2017-03-10 07:20:55 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Author: martbab
Title: #564: Reconfigure Kerberos library config as the last step of KDC install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/564/head:pr564
git checkout pr564

martbab

2017-03-10 07:21:02 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/564
Title: #564: Reconfigure Kerberos library config as the last step of KDC install

Label: +rejected