Bug 1119218
Summary: | ipa-client-install needs user interaction and join to IPA domain from authconfig-gtk fails | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | dspurek, ebenes, pviktori, rcritten, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-08-20 07:35:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1119797 |
Description
David Spurek
2014-07-14 10:02:01 UTC
We should allow passing the password by filename, then authconfig-gtk can run with --unattended That would require changing authconfig as well. What about using the --noac option as equivalent of --unattended with the modification that password would be still queried. With my upstream hat on, I don't see why --noac ("do not modify the nsswitch.conf and PAM configuration") should mean "don't prompt the user". We already have an option for that. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4439 With current IPA you can use the --unattended option, and provide the password on stdin. Could authconfig use that? Yes, we just need to change authconfig to pass the --unattended option along with --noac. Is the 'Password:' prompt still outputted by ipa_client_install in the --unattended case? Authconfig uses that prompt to detect whether it should send the password to the stdin of ipa_client_install. Not in ipa-client-3.0.0-42.el6.x86_64: # echo Secret123 | ipa-client-install -p admin --unattended Discovery was successful! Hostname: vm-089.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-086.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Valid From: Fri Jul 18 20:58:36 2014 UTC Valid Until: Tue Jul 18 20:58:36 2034 UTC Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM trying https://vm-086.idm.lab.bos.redhat.com/ipa/xml Forwarding 'env' to server u'https://vm-086.idm.lab.bos.redhat.com/ipa/xml' Hostname (vm-089.idm.lab.bos.redhat.com) not found in DNS DNS server record set to: vm-089.idm.lab.bos.redhat.com -> 10.16.78.89 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://vm-086.idm.lab.bos.redhat.com/ipa/xml' SSSD enabled Configuring idm.lab.bos.redhat.com as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. OK, that means the changes will have to be more substantial than just passing the --unattended option. The prompt is not there, but with --unattended the password is the only thing expected on stdin, so it can be sent unconditionally. This problem was fixed on authconfig side, it can pass the password via stdin as demonstrated in Comment 10. Upstream already plans to provide more options to reading password (https://fedorahosted.org/freeipa/ticket/4040), we should file a bug to authconfig when this is ready. For now, closing this Bugzilla as issue was resolved. |