On 11.12.2015 18:49, Tomas Babej wrote:


On 12/11/2015 05:37 PM, Martin Basti wrote:


On 11.12.2015 15:40, Jan Cholasta wrote:
On 11.12.2015 08:03, Jan Cholasta wrote:
On 11.12.2015 07:08, Jan Cholasta wrote:
On 10.12.2015 15:56, Martin Babinsky wrote:
On 12/10/2015 09:48 AM, Jan Cholasta wrote:
On 9.12.2015 16:38, Jan Cholasta wrote:
On 9.12.2015 14:52, Jan Cholasta wrote:
On 9.12.2015 10:02, Jan Cholasta wrote:
Hi,

the attached patches fix
<https://fedorahosted.org/freeipa/ticket/5497>.

Note that this needs selinux-policy fix to work, so put SELinux
into
permissive mode for testing:
<https://bugzilla.redhat.com/show_bug.cgi?id=1289930>.

Updated patches attached.

I screwed up a change in patch 524 and accidentally included a
chunk of
code in patch 525 that doesn't belong in it.

Updated patches attached.




Patches work as expected and I was not able to find any functional
problem.

I have a question about the naming of the oddjob helper script: the
one
related to trusts is named 'com.redhat.idm.trust-fetch-domains',
and the
conncheck runner is named 'org.freeipa.server.conncheck'. I don't want
to start another bikeshedding conversation but shouldn't we named them
in a consistent fashion (either rename the first one in separate patch
or rename the new helper to com.redhat.idm.server.conncheck)?

I understand that as an upstream, we should go with the
'org.freeipa.*'
convention, but having two helpers with different prefixes makes me
sad.

If you look at the larger picture, org.freeipa is the consistent name.
It makes me sad as well, but mistakes should be corrected. This is
similar to how we use PEP8 in new code, but do not fix it in old code
just for the sake of fixing it.


That is a nitpick though, it does not affect the overall functionality
of the patches so ACK.

Thanks for the review. The current patch 523 breaks the trusts oddjob
with SELinux in enforcing mode, I will send an update which corrects
that, until bug 1289930 is fixed.

Updated patches attached.

Rebased on top of current master.



Just question, should be any kinited user allowed to run conncheck via rpc?

Martin^2

I guess there's is little harm, any kinited user that was allowed to
access the machine could perform the conncheck even without these patches:

In the RPC check, the user must have the Replication Administrators privilege, which by default only admins have.


# ipa-replica-conncheck --master master.ipa.test -p ran...@ipa.test -w
ratarata -a -r IPA.TEST
Check connection from replica to remote master 'master.ipa.test':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
    Kerberos KDC: UDP (88): SKIPPED
    Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'replica.ipa.test':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK

Connection from master to replica is OK.



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to