On Mon, Oct 08, 2012 at 09:11:59AM -0400, Simo Sorce wrote:
> On Mon, 2012-10-08 at 13:29 +0200, Sumit Bose wrote:
> > Hi,
> > 
> > this patch fixes https://fedorahosted.org/freeipa/ticket/3147 by
> > adding
> > the default fallback group with an LDIF file instead of using the
> > framework.
> > 
> > bye,
> > Sumit
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > plain text
> > document
> > attachment
> > (freeipa-sbose-0085-ipa-adtrust-install-create-fallback-group-with-ldif-.patch)
> > 
> > From 2cd6a4e0f93c34df60a221ea7e96a5c2735ece4d Mon Sep 17 00:00:00 2001
> > From: Sumit Bose <sb...@redhat.com>
> > Date: Mon, 8 Oct 2012 10:44:07 +0200
> > Subject: [PATCH] ipa-adtrust-install: create fallback group with ldif
> > file
> > 
> > Currently the framework is used to add the group but we want to avoid
> > that users are added explicitly to the group by removing the
> > objectclasses groupofnames, ipausergroup and nestedgroup and we want
> > to
> > use a name with spaces in it. Both it not easy possible with the
> > framework, a LDIF file is used instead to create the group.
> > 
> > Fixes https://fedorahosted.org/freeipa/ticket/3147
> > ---
> >  install/share/Makefile.am            |  1 +
> >  install/share/default-smb-group.ldif |  8 +++++++
> >  ipaserver/install/adtrustinstance.py | 41
> > ++++++++++--------------------------
> >  3 Dateien geändert, 20 Zeilen hinzugefügt(+), 30 Zeilen entfernt(-)
> >  create mode 100644 install/share/default-smb-group.ldif
> > 
> > diff --git a/install/share/Makefile.am b/install/share/Makefile.am
> > index
> > 03fef9a66f2f4c64e5685d4947c6f9139ac69ad0..23cd766a5a82ca514ffff9ebad82e0ee7db9ae77
> >  100644
> > --- a/install/share/Makefile.am
> > +++ b/install/share/Makefile.am
> > @@ -16,6 +16,7 @@ app_DATA =                            \
> >         caJarSigningCert.cfg.template   \
> >         default-aci.ldif                \
> >         default-hbac.ldif               \
> > +       default-smb-group.ldif          \
> >         delegation.ldif                 \
> >         replica-acis.ldif               \
> >         ds-nfiles.ldif                  \
> > diff --git a/install/share/default-smb-group.ldif
> > b/install/share/default-smb-group.ldif
> > new file mode 100644
> > index
> > 0000000000000000000000000000000000000000..8d89f67cc7d8be66375c9accb038b3c20a4d4be4
> > --- /dev/null
> > +++ b/install/share/default-smb-group.ldif
> > @@ -0,0 +1,8 @@
> > +dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
> > +changetype: add
> > +cn: Default SMB Group
> > +description: Fallback group for primary group RID, do not add user to
> > this group
> 
> Please change user -> users
> 
> > +gidnumber: 999
> > +objectclass: top
> > +objectclass: ipaobject
> > +objectclass: posixgroup
> > diff --git a/ipaserver/install/adtrustinstance.py
> > b/ipaserver/install/adtrustinstance.py
> > index
> > 3f3924eb3ce9f56ac66407347645c40f96eb6430..41030223d1f644ba6a6557ac90d8f518fcba9c29
> >  100644
> > --- a/ipaserver/install/adtrustinstance.py
> > +++ b/ipaserver/install/adtrustinstance.py
> > @@ -22,7 +22,6 @@ import errno
> >  import ldap
> >  import tempfile
> >  import uuid
> > -import krbV
> >  from ipaserver import ipaldap
> >  from ipaserver.install import installutils
> >  from ipaserver.install import service
> > @@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service):
> >      OBJC_USER = "ipaNTUserAttrs"
> >      OBJC_GROUP = "ipaNTGroupAttrs"
> >      OBJC_DOMAIN = "ipaNTDomainAttrs"
> > -    FALLBACK_GROUP_NAME = u'Default_SMB_Group'
> > +    FALLBACK_GROUP_NAME = u'Default SMB Group'
> >  
> >      def __init__(self, fstore=None):
> >          self.fqdn = None
> > @@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service):
> >          """
> >  
> >          self.ldap_connect()
> > -        try:
> > -            ctx = krbV.default_context()
> > -            ccache = ctx.default_ccache()
> > -        except krbV.Krb5Error, e:
> > -            self.print_msg("Must have Kerberos credentials to setup "
> > \
> > -                           "AD trusts on server")
> > -            return
> > -
> > -        try:
> > -            api.Backend.ldap2.disconnect()
> > -            api.Backend.ldap2.connect(ccache.name)
> > -        except errors.ACIError, e:
> > -            self.print_msg("Outdated Kerberos credentials. " \
> > -                           "Use kdestroy and kinit to update your
> > ticket")
> > -            return
> > -        except errors.DatabaseError, e:
> > -            self.print_msg("Cannot connect to the LDAP database. " \
> > -                           "Please check if IPA is running")
> > -            return
> >  
> >          try:
> >              dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
> > @@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service):
> >              self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
> >          except errors.NotFound:
> >              try:
> > -                fallback =
> > api.Command['group_add'](self.FALLBACK_GROUP_NAME,
> > -                                           description= u'Fallback
> > group for ' \
> > -                                                         'primary
> > group RID, ' \
> > -                                                         'do not add
> > user to ' \
> > -                                                         'this
> > group',
> > -                                           nonposix=False)
> > -                fb_group_dn = fallback['result']['dn']
> > +                self._ldap_mod('default-smb-group.ldif',
> > self.sub_dict)
> >              except Exception, e:
> >                  self.print_msg("Failed to add fallback group.")
> >                  raise e
> >  
> > +        # _ldap_mod does not return useful error codes, so we must
> > check again
> > +        # if the fallback group was created properly.
> >          try:
> > -            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
> > -                    fallback['result']['dn'])]
> > +            self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
> > +        except errors.NotFound:
> > +                self.print_msg("Failed to add fallback group.")
> > +                return
> 
> This exception block looks like on the wrong indentation (8 vs 4) ?
> 
> > +
> > +        try:
> > +            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
> > fb_group_dn)]
> >              self.admin_conn.modify_s(self.smb_dom_dn, mod)
> >          except:
> >              self.print_msg("Failed to add fallback group to domain
> > object") 
> 
> Other than these minor issues, ack.
> 
> Simo.

Thank you for the review, both issues are fixed in the new version.

bye,
Sumit

> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
From c901796f86f4a2cece790dc1e84614c7cb2a40ea Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 8 Oct 2012 10:44:07 +0200
Subject: [PATCH] ipa-adtrust-install: create fallback group with ldif file

Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.

Fixes https://fedorahosted.org/freeipa/ticket/3147
---
 install/share/Makefile.am            |  1 +
 install/share/default-smb-group.ldif |  8 +++++++
 ipaserver/install/adtrustinstance.py | 41 ++++++++++--------------------------
 3 Dateien geändert, 20 Zeilen hinzugefügt(+), 30 Zeilen entfernt(-)
 create mode 100644 install/share/default-smb-group.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 
03fef9a66f2f4c64e5685d4947c6f9139ac69ad0..23cd766a5a82ca514ffff9ebad82e0ee7db9ae77
 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ app_DATA =                            \
        caJarSigningCert.cfg.template   \
        default-aci.ldif                \
        default-hbac.ldif               \
+       default-smb-group.ldif          \
        delegation.ldif                 \
        replica-acis.ldif               \
        ds-nfiles.ldif                  \
diff --git a/install/share/default-smb-group.ldif 
b/install/share/default-smb-group.ldif
new file mode 100644
index 
0000000000000000000000000000000000000000..abcc8a945a8187529044beeb73262b5434070b48
--- /dev/null
+++ b/install/share/default-smb-group.ldif
@@ -0,0 +1,8 @@
+dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+cn: Default SMB Group
+description: Fallback group for primary group RID, do not add users to this 
group
+gidnumber: 999
+objectclass: top
+objectclass: ipaobject
+objectclass: posixgroup
diff --git a/ipaserver/install/adtrustinstance.py 
b/ipaserver/install/adtrustinstance.py
index 
3f3924eb3ce9f56ac66407347645c40f96eb6430..d86f9f51463912c3541a27118843c30d88439ae5
 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,7 +22,6 @@ import errno
 import ldap
 import tempfile
 import uuid
-import krbV
 from ipaserver import ipaldap
 from ipaserver.install import installutils
 from ipaserver.install import service
@@ -101,7 +100,7 @@ class ADTRUSTInstance(service.Service):
     OBJC_USER = "ipaNTUserAttrs"
     OBJC_GROUP = "ipaNTGroupAttrs"
     OBJC_DOMAIN = "ipaNTDomainAttrs"
-    FALLBACK_GROUP_NAME = u'Default_SMB_Group'
+    FALLBACK_GROUP_NAME = u'Default SMB Group'
 
     def __init__(self, fstore=None):
         self.fqdn = None
@@ -211,25 +210,6 @@ class ADTRUSTInstance(service.Service):
         """
 
         self.ldap_connect()
-        try:
-            ctx = krbV.default_context()
-            ccache = ctx.default_ccache()
-        except krbV.Krb5Error, e:
-            self.print_msg("Must have Kerberos credentials to setup " \
-                           "AD trusts on server")
-            return
-
-        try:
-            api.Backend.ldap2.disconnect()
-            api.Backend.ldap2.connect(ccache.name)
-        except errors.ACIError, e:
-            self.print_msg("Outdated Kerberos credentials. " \
-                           "Use kdestroy and kinit to update your ticket")
-            return
-        except errors.DatabaseError, e:
-            self.print_msg("Cannot connect to the LDAP database. " \
-                           "Please check if IPA is running")
-            return
 
         try:
             dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
@@ -248,20 +228,21 @@ class ADTRUSTInstance(service.Service):
             self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
         except errors.NotFound:
             try:
-                fallback = api.Command['group_add'](self.FALLBACK_GROUP_NAME,
-                                           description= u'Fallback group for ' 
\
-                                                         'primary group RID, ' 
\
-                                                         'do not add user to ' 
\
-                                                         'this group',
-                                           nonposix=False)
-                fb_group_dn = fallback['result']['dn']
+                self._ldap_mod('default-smb-group.ldif', self.sub_dict)
             except Exception, e:
                 self.print_msg("Failed to add fallback group.")
                 raise e
 
+        # _ldap_mod does not return useful error codes, so we must check again
+        # if the fallback group was created properly.
         try:
-            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
-                    fallback['result']['dn'])]
+            self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
+        except errors.NotFound:
+            self.print_msg("Failed to add fallback group.")
+            return
+
+        try:
+            mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
             self.admin_conn.modify_s(self.smb_dom_dn, mod)
         except:
             self.print_msg("Failed to add fallback group to domain object")
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to