#8402 [RFE] ipa-client-install forces nsupdate to bind with gssapi
Closed: fixed a year ago by abbra. Opened 2 years ago by fcami.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1854557

[+] Description of problem:
 - During the ipa-client-install, nsupdate runs but tries to bind with GSSAPI.
If the bind fails, nsupdate stops.

[+] How reproducible:
 - Always

[+] Steps to Reproduce:
 1. Run ipa-client-install.

[+] Expected results:
 - nsupdate tries to bind with gssapi but then tries unsecure if gssapi fails

Metadata Update from @fcami:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1854557

2 years ago

In:
https://github.com/freeipa/freeipa/blob/0df4e8813d573f3e6ad1d084823764cf40a4b5c9/ipaclient/install/client.py#L1337

nsupdate is called with -g:
[paths.NSUPDATE, '-g', UPDATE_FILE]

This could be easily enhanced with a second call without -g ; if the first call fails, SSSD's configuration must be switched to 'dyndns_auth' = 'none' .

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4909

2 years ago

master:

  • 72f44b5 ipa-client-install: remove fsync in do_nsupdate()
  • 20c7bd5 ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
  • 2e31e84 ipa-client-install: update sssd.conf if nsupdate requires -g

ipa-4-9:

  • e82f253 ipa-client-install: remove fsync in do_nsupdate()
  • a8588c5 ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
  • 3cbd24d ipa-client-install: update sssd.conf if nsupdate requires -g

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @fcami:
- Custom field changelog adjusted to Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.

a year ago

master:

  • dabf276 ipatests: Test unsecure nsupdate.

ipa-4-9:

  • 4fdab0c ipatests: Test unsecure nsupdate.

Login to comment on this ticket.

Metadata