On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: > On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: > > Hi Martin! > > > > On Thu, 12 Apr 2012, Martin Kosek wrote: > ... > > >3) I would not try to import ipaserver.dcerpc every time the command is > > >executed: > > >+ try: > > >+ import ipaserver.dcerpc > > >+ except Exception, e: > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > >+ reason=_('Cannot perform join operation without Samba > > >4 python bindings installed')) > > > > > >I would rather do it once in the beginning and set a flag: > > > > > >try: > > > import ipaserver.dcerpc > > > _bindings_installed = True > > >except Exception: > > > _bindings_installed = False > > > > > >... > > The idea was that this code is only executed on the server. We need to > > differentiate between: > > - running on client > > - running on server, no samba4 python bindings > > - running on server with samba4 python bindings > > > > By making it executed all time you are affecting the client code as > > well while with current approach it only affects server side. > > Across our code base, this situation is currently solved with this > condition: > > if api.env.in_server and api.env.context in ['lite', 'server']: > # try-import block > > > > > > > >+ def execute(self, *keys, **options): > > >+ # Join domain using full credentials and with random trustdom > > >+ # secret (will be generated by the join method) > > >+ trustinstance = None > > >+ if not _bindings_installed: > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > >+ reason=_('Cannot perform join operation without Samba > > >4 python bindings installed')) > > > > > > > > >4) Another import inside a function: > > >+ def arcfour_encrypt(key, data): > > >+ from Crypto.Cipher import ARC4 > > >+ c = ARC4.new(key) > > >+ return c.encrypt(data) > > Same here, it is only needed on server side. > > > > Let us get consensus over 3) and 4) and I'll fix patches altogether (and > > push). > > > > Yeah, I would fix in the same way as 3). > > Martin >
I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com" 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat....@idm.lab.bos.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) When I run "ipactl restart", dirsrv started and I was able to kinit. 4) Patch "Add separate attribute to store trusted domain SID" still has a wrong service part of the principal to be removed (s/ldap/cifs): + dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix) + member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm) + This leaves CIFS entry in the S4U2Proxy configuration even after replica uninstallation. Btw. these are the packages I use: 389-ds-base-1.2.10.4-2.fc17.x86_64 krb5-server-1.10-5.fc17.x86_64 samba4-4.0.0-123alpha21.fc17.x86_64 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel