On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:
Hi!

Attached are trust-related patches.

0207 is a pre-requisite. I did send it before, it is re-formatting of
the ipaserver/dcerpc.py to be close to PEP8 requirements.

0218 is an automated trust topology conflict resolver for DNS namespace
conflicts. Read the commit message for details, and also comments in the
code. With this patch FreeIPA becomes more smart than Windows Server
which doesn't have automated trust topology conflict resolution. ;)

0219 fixes issue of topology details leaking through external trust. The
problem is only in presentation as we store more data than needed -- it
is impossible to cross external trust boundary anyway as it is handled
by AD DC side, but one important consequence is that we need to store
UPN suffixes before we start storing information about child domains.
Again, read the commit message.

These patches also are on top of my previously sent patches 0215-0216.
Patches attached.




Hi Alexander,

patch 207: LGTM, but I have a feeling that the patch should be linked to both #6021 and #6076 so that it is not lost during backports.

patch 218:

ipalib/errors.py:

1.)
I'm not sure if TrustTopologyConflictError should inherit from InvocationError. The semantics of InvocationError implies that something was wrong when trying to invoke the command (a param failed to validate/convert, incorrect number of args, etc.), while this is more of an exception during command execution (no. and type of params was correct, command started to execute but encountered an error condition). Thus I think it should inherit from ExecutionError. CC'ing Jan for more thoughts on this.

2.)

Why is TrustTopologyConflictSolved listed amogn public errors? Since it is used only in dcerpc.py to restart trust establishment after resolving conflicts, it should be a private exception in dcerpc.py for this purpose.

3.)
Also please split the exception format string like this so that the line is not too long (there is not much we can do about doctest so leave that line as it is):

@@ -882,7 +882,8 @@ class TrustTopologyConflictError(InvocationError):
    """

    errno = 3017
- format = _("Forest '%(forest)s' has existing trust to forest(s) %(domains)s which prevents a trust to '%(conflict)s'")
+    format = _("Forest '%(forest)s' has existing trust to forest(s) "
+               "%(domains)s which prevents a trust to '%(conflict)s'")

Do not worry about gettext, it can handle it just fine, there are plenty of examples in server plugins, for example.


ipaserver/dcerpc.py:

1.)

I think that instead of returning result and raising TrustTopologyConflictError based on that, the 'clear_ftinfo_conflict' can raise this exception directly. You can have an empty list defined at the beginning instead of 'result list', append unresolvable conflicts to it and then at the end of the method check if it is non-empty and raise the exception.

2.)

+        # In the code below:
+        # self -- the forest we establish trust to
+        # another_domain -- a forest that establishes trust to 'self'
+        # cinfo -- lsa_ForestTrustCollisionInfo structure that contain
+        #          set of of lsa_ForestTrustCollisionRecord structures
I would add this directly into the method docstring:

"""
...

:param self: the forest we establish trust to
:param another_domain: a forest that establishes trust to 'self'
:param cinfo: lsa_ForestTrustCollisionInfo structure that contain
              set of of lsa_ForestTrustCollisionRecord structures
"""

Additionally, the behavior specifed in previous comment can be added using :raises: stanza:

"""
:raises: errors.TrustTopologyConflictError if there are unresolvable
   namespace conflicts between trusted domains
"""

3.)

rewriting 'clear_ftinfo_conflict' according to point 1.) will allow to simplify code in 'update_ftinfo' like this:

"""
-                res = self.clear_ftinfo_conflict(another_domain, cinfo)
-                if len(res[1]) != 0:
-                    domains = [x.name.string for x in res[1]]
-                    raise errors.TrustTopologyConflictError(
-                              target=self.info['dns_domain'],
-                              conflict=another_domain.info['dns_domain'],
-                              domains=domains)
-                else:
-                    raise errors.TrustTopologyConflictSolved(
-                              target=self.info['dns_domain'],
-                              conflict=another_domain.info['dns_domain'])
+                self.clear_ftinfo_conflict(another_domain, cinfo)
+                raise errors.TrustTopologyConflictSolved(
+                    target=self.info['dns_domain'],
+                    conflict=another_domain.info['dns_domain'])
"""

Patch 218:

1.)
typo in the commit message:

"""
...
suffixes are forest-wide, there *are could be* user accounts in the
...
"""

2.)
A stupid question I know, but why do we need to replace empty string with None here?

"""
# with the forest, thus we have to use netr_DsRGetForestTrustInformation - domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0) + domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], None, 0)
"""
I'm answering this one while working on the other fixes.

netr_DsRGetForestTrustInformation() uses NULL to say a parameter is
missing, not empty string. It actually causes an issue if we don't do
that when asking a domain controller from a domain that is not a root
domain of the forest where we get currently undocumented error
NERR_ACFNotLoaded (0x000008b3). If non-NULL name is specified, AD domain
controller will perform proper operation only if it is a domain
controller from the forest root domain and the domain specified is
known. Obviously, a domain named '' cannot be known. This breaks external trust.

Perhaps, this could be moved into a separate patch on its own.


--
Martin^3 Babinsky

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to