On Thu, 2012-05-03 at 08:31 -0700, Nathan Kinder wrote: > On 05/03/2012 08:18 AM, Martin Kosek wrote: > > On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote: > >> On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote: > >>> On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: > >>>> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: > >>>>> Hi Martin! > >>>>> > >>>>> On Thu, 12 Apr 2012, Martin Kosek wrote: > >>>> ... > >>>>>> 3) I would not try to import ipaserver.dcerpc every time the command is > >>>>>> executed: > >>>>>> + try: > >>>>>> + import ipaserver.dcerpc > >>>>>> + except Exception, e: > >>>>>> + raise errors.NotFound(name=_('AD Trust setup'), > >>>>>> + reason=_('Cannot perform join operation without > >>>>>> Samba > >>>>>> 4 python bindings installed')) > >>>>>> > >>>>>> I would rather do it once in the beginning and set a flag: > >>>>>> > >>>>>> try: > >>>>>> import ipaserver.dcerpc > >>>>>> _bindings_installed = True > >>>>>> except Exception: > >>>>>> _bindings_installed = False > >>>>>> > >>>>>> ... > >>>>> The idea was that this code is only executed on the server. We need to > >>>>> differentiate between: > >>>>> - running on client > >>>>> - running on server, no samba4 python bindings > >>>>> - running on server with samba4 python bindings > >>>>> > >>>>> By making it executed all time you are affecting the client code as > >>>>> well while with current approach it only affects server side. > >>>> Across our code base, this situation is currently solved with this > >>>> condition: > >>>> > >>>> if api.env.in_server and api.env.context in ['lite', 'server']: > >>>> # try-import block > >>>> > >>>>> > >>>>>> + def execute(self, *keys, **options): > >>>>>> + # Join domain using full credentials and with random trustdom > >>>>>> + # secret (will be generated by the join method) > >>>>>> + trustinstance = None > >>>>>> + if not _bindings_installed: > >>>>>> + raise errors.NotFound(name=_('AD Trust setup'), > >>>>>> + reason=_('Cannot perform join operation without > >>>>>> Samba > >>>>>> 4 python bindings installed')) > >>>>>> > >>>>>> > >>>>>> 4) Another import inside a function: > >>>>>> + def arcfour_encrypt(key, data): > >>>>>> + from Crypto.Cipher import ARC4 > >>>>>> + c = ARC4.new(key) > >>>>>> + return c.encrypt(data) > >>>>> Same here, it is only needed on server side. > >>>>> > >>>>> Let us get consensus over 3) and 4) and I'll fix patches altogether (and > >>>>> push). > >>>>> > >>>> Yeah, I would fix in the same way as 3). > >>>> > >>> I am running another run of test to finish my review of your patches, > >>> but I stumbled in 389-ds error when I was installing IPA server from > >>> package built from your git tree: > >>> git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git > >>> > >>> # rpm -q freeipa-server 389-ds-base > >>> freeipa-server-2.99.0GITc30f375-0.fc17.x86_64 > >>> 389-ds-base-1.2.11-0.1.a1.fc17.x86_64 > >>> # ipa-server-install -p kokos123 -a kokos123 > >>> ... > >>> [16/18]: issuing RA agent certificate > >>> [17/18]: adding RA agent as a trusted user > >>> [18/18]: Configure HTTP to proxy connections > >>> done configuring pki-cad. > >>> Configuring directory server: Estimated time 1 minute > >>> [1/35]: creating directory server user > >>> [2/35]: creating directory server instance > >>> [3/35]: adding default schema > >>> [4/35]: enabling memberof plugin > >>> [5/35]: enabling referential integrity plugin > >>> [6/35]: enabling winsync plugin > >>> [7/35]: configuring replication version plugin > >>> [8/35]: enabling IPA enrollment plugin > >>> [9/35]: enabling ldapi > >>> [10/35]: configuring uniqueness plugin > >>> [11/35]: configuring uuid plugin > >>> [12/35]: configuring modrdn plugin > >>> [13/35]: enabling entryUSN plugin > >>> [14/35]: configuring lockout plugin > >>> [15/35]: creating indices > >>> [16/35]: configuring ssl for ds instance > >>> [17/35]: configuring certmap.conf > >>> [18/35]: configure autobind for root > >>> [19/35]: configure new location for managed entries > >>> [20/35]: restarting directory server > >>> [21/35]: adding default layout > >>> [22/35]: adding delegation layout > >>> ipa : CRITICAL Failed to load delegation.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned > >>> non-zero exit status 255 > >>> [23/35]: adding replication acis > >>> ipa : CRITICAL Failed to load replica-acis.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned > >>> non-zero exit status 255 > >>> [24/35]: creating container for managed entries > >>> ipa : CRITICAL Failed to load managed-entries.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned > >>> non-zero exit status 255 > >>> [25/35]: configuring user private groups > >>> ipa : CRITICAL Failed to load user_private_groups.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned > >>> non-zero exit status 255 > >>> [26/35]: configuring netgroups from hostgroups > >>> ipa : CRITICAL Failed to load host_nis_groups.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned > >>> non-zero exit status 255 > >>> [27/35]: creating default Sudo bind user > >>> ipa : CRITICAL Failed to load sudobind.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned > >>> non-zero exit status 255 > >>> [28/35]: creating default Auto Member layout > >>> ipa : CRITICAL Failed to load automember.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned > >>> non-zero exit status 255 > >>> [29/35]: creating default HBAC rule allow_all > >>> ipa : CRITICAL Failed to load default-hbac.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned > >>> non-zero exit status 255 > >>> [30/35]: initializing group membership > >>> ipa : CRITICAL Failed to load memberof-task.ldif: Command > >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > >>> -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned > >>> non-zero exit status 255 > >>> Unexpected error - see ipaserver-install.log for details: > >>> {'desc': "Can't contact LDAP server"} > >>> > >>> > >>> # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors > >>> [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135 > >>> starting up > >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for > >>> cipher AES in backend userRoot, attempting to create one... > >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully > >>> generated and stored > >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for > >>> cipher 3DES in backend userRoot, attempting to create one... > >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES > >>> successfully generated and stored > >>> [20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All > >>> Interfaces port 389 for LDAP requests > >>> [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for > >>> LDAPS requests > >>> [20/Apr/2012:02:19:16 -0400] - Listening > >>> on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests > >>> [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password > >>> Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS > >>> Templates found, which should be added before the CoS Definition. > >>> [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding > >>> the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to > >>> resolve a deadlock (-30993) > >>> > >>> Martin > >>> > >> I reproduced this issue even on another clean VM, I filed a BZ for that: > >> https://bugzilla.redhat.com/show_bug.cgi?id=816590 > >> > >> Martin > >> > > With the development version of the fix for DS issue, I was able to > > continue with the review. I found the following issues: > Please start using 389-ds-base-1.2.11.1-1.fc17, which is in testing > now. Karma would be much appreciated.
Will do! I just tested it and it works so far - karma+1 from me. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel