On Fri, 29 Aug 2014, Martin Kosek wrote:
On 08/29/2014 11:35 AM, Alexander Bokovoy wrote:
On Fri, 29 Aug 2014, Sumit Bose wrote:
On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote:
Hi!
Attached patchset improves trust operations:
1. Ensures we only allow establishing trust to forest root domain
2. Ensures that we select primary domain controllers
3. Ensures first create trust and later set it to transitive state and
update forest topology
4. Relaxes filtering of domains obtained from AD side to allow some of
possible topology combinations which were not accounted for
previously
5. Reverts to any PDC rather than a closest one if closest one is not
available due to site mismanagement.
Affected tickets:
https://fedorahosted.org/freeipa/ticket/4463
https://fedorahosted.org/freeipa/ticket/4479
https://fedorahosted.org/freeipa/ticket/4458
The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1
branches).
They were tested with Windows Server 2008R2 and Windows Server 2012
environments.
Patches are looking good and I didn't found any issue in my tests, ACK.
I only have a question about 158. I wonder if the admin calling ipa
trust-add would be interested to see that setting the transitive
attribute failed? Currently it is buried in the logs so chances are the
nobody will recognise it.
Unfortunately, we don't have means in the framework to return warnings
nicely formatted and separated from the original output.
What about http://www.freeipa.org/page/V3/Messages? We can do warnings already:
# ipa dnszone-add example.test --forwarder 10.0.0.1 --name-server=`hostname`.
Administrator e-mail address [hostmaster.example.test.]:
ipa: WARNING: DNS forwarder semantics changed since IPA 4.0.
You may want to use forward zones (dnsforwardzone-*) instead.
For more details read the docs.
We need to understand consequences. If setting transitive flag on the
trust will fail, what does it mean for the trust's use? And what does it
mean in the context of one-way trust work?
Adding to that, there is another consideration: which leg of the trust
failed? With two-way trust we have four of them, with one-way there will
be two legs. Since code is structured in a such way that all of these
calls are symmetrical, we'll need to pass up the warning to some higher
caller and there decide what has happened. The task quickly goes beyond
a simple use of messages.
I don't have myself all answers yet. :)
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
