On Sat, Sep 28, 2013 at 11:01:34PM +0300, Alexander Bokovoy wrote: > On Fri, 27 Sep 2013, Sumit Bose wrote: > >On Fri, Sep 27, 2013 at 03:53:08PM +0300, Alexander Bokovoy wrote: > >>On Mon, 23 Sep 2013, Alexander Bokovoy wrote: > >>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote: > >>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote: > >>>>>On Mon, 23 Sep 2013, Martin Kosek wrote: > >>>>>>>>However, we don't have trust type available so it needs to discovered > >>>>>>>>every time. This doesn't play well with the framework, it is simply > >>>>>>>>not > >>>>>>>>expecting dynamic containers. > >>>>>>> > >>>>>>>This doesn't sound like a big obstacle to me. Right now the trust_type > >>>>>>>lookup > >>>>>>>is done in trust_show.execute() for some reason, which is not the best > >>>>>>>place to > >>>>>>>do it IMHO. Doing it in trust.get_dn() instead should simplify things > >>>>>>>enough to > >>>>>>>make parent_object work. > >>>>>> > >>>>>>Yup, get_dn() is the method where object DN lookup should be done. See > >>>>>>for > >>>>>>example host.py plugin get_dn method, we also do a dynamic lookup for > >>>>>>correct > >>>>>>host name. > >>>>>I'll see if that would work. > >>>>> > >>>>>>the best way to implement dynamic DN gathering is the get_dn() method. > >>>>>>That > >>>>>>way, it could be implemented in one place and all commands could take > >>>>>>advantage > >>>>>>of it instead of re-implementing it several times in pre_callback - > >>>>>>this is > >>>>>>just hackish. > >>>>>I'd suggest you look into the code. The commands use pre_callback for a > >>>>>different purpose than implementing dynamic DN gathering. > >>>>> > >>>>>>I think it would have been very useful to have a design page before > >>>>>>sending a > >>>>>>patch. It is then easier to make design decisions without having to dig > >>>>>>into > >>>>>>the patch. > >>>>>The design page is there for long time: > >>>>>http://www.freeipa.org/page/V3/Transitive_Trusts > >>>>Ok, here is new version of the patch and updated version of my 0117 > >>>>patch as Sumit noticed I've sent wrong version. > >>>Ok, here is updated 0118 which fixes API.txt change for trustdomain_add > >>>-- I renamed trustdomain_create to trustdomain_add but forgot to rerun > >>>makeapi. > >>New edition attached for all subdomain-related patches: > > > >I did some tests and all is working as expected. > > > >> > >>freeipa-abbra-0117-ipaserver-dcerpc.py-populate-forest-trust-informatio-3.patch > >> Use realmdomains to report name suffix routes at the time we establish > >> trust > >> > >>freeipa-abbra-0118-trusts-support-subdomains-in-a-forest-3.patch > >> Introduce trustdomain-* commands to fetch list of domains associated > >> with a forest trust and allow filtering them off > > > >We talked on irc that ipaNTSupportedEncryptionTypes in the filter > >for the trusted domains should be replace by a different attribute. > >Because of an error in ipasam the ipaNTSupportedEncryptionTypes is only > >set in recent versions and might not be present in the directory trees of > >older versions. > Fixed in the attached patch 0118 version 4. > > Also attached first attempt to implement transiting through trusted > domains, as patch 0123. In this patch we grant transition only if all > three realms (client, transited realm, and server realm) match any of > our trusted domains and our domain. This is probably a bit wider but it > worked for me bidirectionally, from a child domain to a service in IPA, > and from IPA realm to a service in a child domain of a forest trust. > > -- > / Alexander Bokovoy
... > + > + return (has_client_realm && has_transited_contents && has_server_realm) > == false; I would prefer real krb5 error codes here. 0 and KRB5KRB_AP_ERR_ILL_CR_TKT are used in the core code which evaluates [capaths]. bye, Sumit > +} > -- > 1.8.3.1 > _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
