Hi,

this couple of patches harden the adtrust installer.

Details in the commit messages.

Fixes: https://fedorahosted.org/freeipa/ticket/5134

Tomas
From a310154f1706cc05cd6c556ec7d92ffb77f7b3fa Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 27 Oct 2015 16:05:03 +0100
Subject: [PATCH] adtrustinstance: Wait for sidgen task completion

As part of hardening of adtrust installer, we should wait until
the sidgen task is completed before continuing, as it can take
considerable amount of time for a larger deployment.

https://fedorahosted.org/freeipa/ticket/5134
---
 ipaserver/install/adtrustinstance.py | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index a890f141b5ea5d79511cbd7eb3d24c73cf04f3b5..588e0648e55a989fd8ab3c5262b1146f55bf11a2 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -30,6 +30,7 @@ from ipaserver.install import service
 from ipaserver.install import installutils
 from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
                                            dns_zone_exists
+from ipaserver.install.replication import wait_for_task
 from ipalib import errors, api
 from ipalib.util import normalize_zone
 from ipapython.dn import DN
@@ -463,13 +464,24 @@ class ADTRUSTInstance(service.Service):
 
     def __add_sids(self):
         """
-        Add SIDs for existing users and groups
+        Add SIDs for existing users and groups. Make sure the task is finished
+        before continuing.
         """
 
         try:
+            # Start the sidgen task
             self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict)
-        except:
-            pass
+
+            # Notify the user about the possible delay
+            self.print_msg("This step may take considerable amount of time, please wait..")
+
+            # Wait for the task to complete
+            task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config')
+            wait_for_task(self.admin_conn, task_dn)
+
+        except Exception:
+            root_logger.debug("Exception occured during SID generation: {0}"
+                              .format(str(e)))
 
     def __add_s4u2proxy_target(self):
         """
-- 
2.1.0

From 8663d83d40bb8ae44a1c1ec0ffff106108e924b9 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 27 Oct 2015 16:05:35 +0100
Subject: [PATCH] adtrustinstance: Restart samba service at the end of
 adtrust-install

Errors related to establishing trust can occur if samba service is not
restarted after ipa-adtrust-install has been run. Restart the service at
the end of the installer to avoid such issues.

https://fedorahosted.org/freeipa/ticket/5134
---
 ipaserver/install/adtrustinstance.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 588e0648e55a989fd8ab3c5262b1146f55bf11a2..9e05bdbe5c4b2e77dee3dc0d4de74a252ea6f4c1 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -743,6 +743,12 @@ class ADTRUSTInstance(service.Service):
         except:
             pass
 
+    def __restart_smb(self):
+        try:
+            services.knownservices.smb.restart()
+        except Exception:
+            pass
+
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
         # We do not let the system start IPA components on its own,
@@ -874,6 +880,7 @@ class ADTRUSTInstance(service.Service):
         if self.add_sids:
             self.step("adding SIDs to existing users and groups",
                       self.__add_sids)
+        self.step("restarting smbd", self.__restart_smb)
 
         self.start_creation(show_service_name=False)
 
-- 
2.1.0

From 1e682ad06f99723ca2b0c0a71432d13263db5dc6 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 27 Oct 2015 16:08:10 +0100
Subject: [PATCH] adtrustinstance: Do not use bare except clauses

https://fedorahosted.org/freeipa/ticket/5134
---
 ipaserver/install/adtrustinstance.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 9e05bdbe5c4b2e77dee3dc0d4de74a252ea6f4c1..c2b446832559bbeab67f57b45bc23df82d56a68e 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -209,13 +209,13 @@ class ADTRUSTInstance(service.Service):
 
         try:
             admin_entry = self.admin_conn.get_entry(admin_dn)
-        except:
+        except errors.NotFound:
             self.print_msg("IPA admin object not found")
             return
 
         try:
             admin_group_entry = self.admin_conn.get_entry(admin_group_dn)
-        except:
+        except errors.NotFound:
             self.print_msg("IPA admin group object not found")
             return
 
@@ -226,7 +226,7 @@ class ADTRUSTInstance(service.Service):
                 self.admin_conn.modify_s(admin_dn, \
                             [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
                              (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
-            except:
+            except Exception:
                 self.print_msg("Failed to modify IPA admin object")
 
         if admin_group_entry.single_value.get(self.ATTR_SID):
@@ -236,7 +236,7 @@ class ADTRUSTInstance(service.Service):
                 self.admin_conn.modify_s(admin_group_dn, \
                             [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
                              (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
-            except:
+            except Exception:
                 self.print_msg("Failed to modify IPA admin group object")
 
     def __add_default_trust_view(self):
@@ -307,7 +307,7 @@ class ADTRUSTInstance(service.Service):
         try:
             mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
             self.admin_conn.modify_s(self.smb_dom_dn, mod)
-        except:
+        except Exception:
             self.print_msg("Failed to add fallback group to domain object")
 
     def __add_rid_bases(self):
@@ -726,7 +726,7 @@ class ADTRUSTInstance(service.Service):
         try:
             self.start()
             services.service('winbind').start()
-        except:
+        except Exception:
             root_logger.critical("CIFS services failed to start")
 
     def __stop(self):
@@ -734,13 +734,13 @@ class ADTRUSTInstance(service.Service):
         try:
             services.service('winbind').stop()
             self.stop()
-        except:
+        except Exception:
             pass
 
     def __restart_dirsrv(self):
         try:
             services.knownservices.dirsrv.restart()
-        except:
+        except Exception:
             pass
 
     def __restart_smb(self):
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to