URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
 Title: #682: ipaserver/dcerpc: unify error processing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 25d8a94c862c51300198ea4956842521935e53f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipaserver/dcerpc: unify error processing

Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.

Unify error processing and add few more fallback entries.

With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.

Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.

Fixes https://pagure.io/freeipa/issue/6859
---
 ipaserver/dcerpc.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
                   # we simply will skip the binding
         access_denied_error,
     -1073741772:  # NT_STATUS_OBJECT_NAME_NOT_FOUND
-        errors.RemoteRetrieveError(
-            reason=_('CIFS server configuration does not allow '
-                     'access to \\\\pipe\\lsarpc')),
+        errors.NotFound(
+            reason=_('Cannot find specified domain or server name')),
 }
 
 dcerpc_error_messages = {
     "NT_STATUS_OBJECT_NAME_NOT_FOUND":
         errors.NotFound(
             reason=_('Cannot find specified domain or server name')),
+    "The object name is not found.":
+        errors.NotFound(
+            reason=_('Cannot find specified domain or server name')),
     "WERR_NO_LOGON_SERVERS":
         errors.RemoteRetrieveError(
             reason=_('AD DC was unable to reach any IPA domain controller. '
                      'Most likely it is a DNS or firewall issue')),
+    # This is a very long key, don't change it
+    "There are currently no logon servers available to "
+    "service the logon request.":
+        errors.RemoteRetrieveError(
+            reason=_('AD DC was unable to reach any IPA domain controller. '
+                     'Most likely it is a DNS or firewall issue')),
     "NT_STATUS_INVALID_PARAMETER_MIX":
         errors.RequirementError(
             name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
 
         # Both methods should not fail at the same time
         if finddc_error and len(info['gc']) == 0:
-            raise assess_dcerpc_exception(message=str(finddc_error))
+            num, message = e.args  # pylint: disable=unpacking-non-sequence
+            raise assess_dcerpc_exception(num=num, message=message)
 
         self._info[domain] = info
         return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
             else:
                 result = netrc.finddc(address=remote_host, flags=flags)
         except RuntimeError as e:
-            raise assess_dcerpc_exception(message=str(e))
+            num, message = e.args  # pylint: disable=unpacking-non-sequence
+            raise assess_dcerpc_exception(num=num, message=message)
 
         if not result:
             return False
@@ -1408,7 +1418,8 @@ def communicate(td):
             result = netrc.finddc(domain=trustdomain,
                                   flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
     except RuntimeError as e:
-        raise assess_dcerpc_exception(message=str(e))
+        num, message = e.args  # pylint: disable=unpacking-non-sequence
+        raise assess_dcerpc_exception(num=num, message=message)
 
     td.info['dc'] = unicode(result.pdc_dns_name)
     td.info['name'] = unicode(result.dns_domain)

From 4f6054693e797215192388188b0b889342882dcf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
 information

Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
 ipaserver/plugins/trust.py | 42 +++++++++---------------------------------
 1 file changed, 9 insertions(+), 33 deletions(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 3de2458..e6e9088 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1742,47 +1742,23 @@ def execute(self, *keys, **options):
         ldap = self.api.Backend.ldap2
         verify_samba_component_presence(ldap, self.api)
 
-        trust = self.api.Command.trust_show(
-            keys[0], all=True, raw=True)['result']
+        # Check first that the trust actually exists
+        self.api.Command.trust_show(keys[0], all=True, raw=True)['result']
 
         result = dict()
         result['result'] = []
         result['count'] = 0
         result['truncated'] = False
 
-        trust_direction = int(trust['ipanttrustdirection'][0])
-        is_nontransitive = int(trust.get('ipanttrustattributes',
-                               [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
         # For one-way trust and external trust fetch over DBus.
         # We don't get the list in this case.
-        if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive:
-            fetch_trusted_domains_over_dbus(self.api, self.log, keys[0])
-            result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.'))
-            return result
-
-        trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
-        if not trustinstance.configured:
-            raise errors.NotFound(
-                name=_('AD Trust setup'),
-                reason=_(
-                    'Cannot perform join operation without own domain '
-                    'configured. Make sure you have run ipa-adtrust-install '
-                    'on the IPA server first'
-                )
-            )
-
-        trustinstance.populate_remote_domain(keys[0])
-
-        res = fetch_domains_from_trust(self.api, trustinstance, **options)
-        domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)
-
-        if len(domains) > 0:
-            result['summary'] = unicode(_('List of trust domains successfully refreshed'))
-        else:
-            result['summary'] = unicode(_('No new trust domains were found'))
-
-        result['result'] = domains
-        result['count'] = len(domains)
+        # With privilege separation we also cannot authenticate as
+        # HTTP/ principal because we have no access to its key material.
+        # Thus, we'll use DBus call out to oddjobd helper in all cases
+        fetch_trusted_domains_over_dbus(self.api, self.log, keys[0])
+        result['summary'] = unicode(_('List of trust domains successfully '
+                                      'refreshed. Use trustdomain-find '
+                                      'command to list them.'))
         return result
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to