On Wed, 17 Aug 2016, Martin Babinsky wrote:
On 08/17/2016 12:13 PM, Martin Babinsky wrote:
On 08/15/2016 06:06 PM, Alexander Bokovoy wrote:
On Mon, 15 Aug 2016, Alexander Bokovoy wrote:

Attached are trust-related patches.

0207 is a pre-requisite. I did send it before, it is re-formatting of
the ipaserver/dcerpc.py to be close to PEP8 requirements.

0218 is an automated trust topology conflict resolver for DNS namespace
conflicts. Read the commit message for details, and also comments in the
code. With this patch FreeIPA becomes more smart than Windows Server
which doesn't have automated trust topology conflict resolution. ;)

0219 fixes issue of topology details leaking through external trust. The
problem is only in presentation as we store more data than needed -- it
is impossible to cross external trust boundary anyway as it is handled
by AD DC side, but one important consequence is that we need to store
UPN suffixes before we start storing information about child domains.
Again, read the commit message.

These patches also are on top of my previously sent patches 0215-0216.
Patches attached.

Hi Alexander,

patch 207: LGTM, but I have a feeling that the patch should be linked to
both #6021 and #6076 so that it is not lost during backports.

patch 218:


I'm not sure if TrustTopologyConflictError should inherit from
InvocationError. The semantics of InvocationError implies that something
was wrong when trying to invoke the command (a param failed to
validate/convert, incorrect number of args, etc.), while this is more of
an exception during command execution (no. and type of params was
correct, command started to execute but encountered an error condition).
Thus I think it should inherit from ExecutionError. CC'ing Jan for more
thoughts on this.


Why is TrustTopologyConflictSolved listed amogn public errors? Since it
is used only in dcerpc.py to restart trust establishment after resolving
conflicts, it should be a private exception in dcerpc.py for this purpose.

Also please split the exception format string like this so that the line
is not too long (there is not much we can do about doctest so leave that
line as it is):

@@ -882,7 +882,8 @@ class TrustTopologyConflictError(InvocationError):

    errno = 3017
-    format = _("Forest '%(forest)s' has existing trust to forest(s)
%(domains)s which prevents a trust to '%(conflict)s'")
+    format = _("Forest '%(forest)s' has existing trust to forest(s) "
+               "%(domains)s which prevents a trust to '%(conflict)s'")

Do not worry about gettext, it can handle it just fine, there are plenty
of examples in server plugins, for example.



I think that instead of returning result and raising
TrustTopologyConflictError based on that, the 'clear_ftinfo_conflict'
can raise this exception directly. You can have an empty list defined at
the beginning instead of 'result list', append unresolvable conflicts to
it and then at the end of the method check if it is non-empty and raise
the exception.


+        # In the code below:
+        # self -- the forest we establish trust to
+        # another_domain -- a forest that establishes trust to 'self'
+        # cinfo -- lsa_ForestTrustCollisionInfo structure that contain
+        #          set of of lsa_ForestTrustCollisionRecord structures
I would add this directly into the method docstring:


:param self: the forest we establish trust to
:param another_domain: a forest that establishes trust to 'self'
:param cinfo: lsa_ForestTrustCollisionInfo structure that contain
         set of of lsa_ForestTrustCollisionRecord structures

Additionally, the behavior specifed in previous comment can be added
using :raises: stanza:

:raises: errors.TrustTopologyConflictError if there are unresolvable
   namespace conflicts between trusted domains


rewriting 'clear_ftinfo_conflict' according to point 1.) will allow to
simplify code in 'update_ftinfo' like this:

-                res = self.clear_ftinfo_conflict(another_domain, cinfo)
-                if len(res[1]) != 0:
-                    domains = [x.name.string for x in res[1]]
-                    raise errors.TrustTopologyConflictError(
-                              target=self.info['dns_domain'],
-                              conflict=another_domain.info['dns_domain'],
-                              domains=domains)
-                else:
-                    raise errors.TrustTopologyConflictSolved(
-                              target=self.info['dns_domain'],
-                              conflict=another_domain.info['dns_domain'])
+                self.clear_ftinfo_conflict(another_domain, cinfo)
+                raise errors.TrustTopologyConflictSolved(
+                    target=self.info['dns_domain'],
+                    conflict=another_domain.info['dns_domain'])

Patch 218:

typo in the commit message:

suffixes are forest-wide, there *are could be* user accounts in the

A stupid question I know, but why do we need to replace empty string
with None here?

        # with the forest, thus we have to use
-        domains =
netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0)
+        domains =
netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], None, 0)

Also I just noticed some pylint errors when doing build:

Pylint is running, please wait ...
************* Module ipaserver.dcerpc
ipaserver/dcerpc.py:58: [E0401(import-error), ] Unable to import 'pysss_nss_idmap')
ipaserver/dcerpc.py:59: [E0401(import-error), ] Unable to import 'pysss')
ipaserver/dcerpc.py:1202: [E1305(too-many-format-args), TrustDomainInstance.clear_ftinfo_conflict] Too many arguments for format string) ipaserver/dcerpc.py:1207: [E0602(undefined-variable), TrustDomainInstance.clear_ftinfo_conflict] Undefined variable 'conflict_type')
Makefile:137: recipe for target 'pylint' failed

You can probably ignore the first two since they may be caused by my broken build environment.
Right, conflict_type[rec.type] is a left-over I had originally to choose
the type but since then decided to make two different error logging for
in-forest and external to forest cases.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to