Hi,
In the event of invocation of trust related commands, IPA server needs
to contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
From 128ee05bbebe17f77272b8f2a6bd5039cfbc26b0 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 6 Aug 2015 10:10:04 +0200
Subject: [PATCH] trusts: Detect missing Samba instance
In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
---
ipalib/plugins/trust.py | 99 +++--
1 file changed, 79 insertions(+), 20 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 940e06a5ffa387c6cc18983d7b56f089f58a236e..ba80eefe4735a8800cc530e60b4435c3d8cdcf4d 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -199,6 +199,73 @@ def make_trust_dn(env, trust_type, dn):
return DN(dn, container_dn)
return dn
+def find_adtrust_masters(ldap, api):
+
+Returns a list of names of IPA servers with ADTRUST component configured.
+
+
+try:
+entries, truncated = ldap.find_entries(
+cn=ADTRUST,
+base_dn=api.env.container_masters + api.env.basedn
+)
+except errors.NotFound:
+entries = []
+
+return [entry.dn[1].value for entry in entries]
+
+def verify_samba_component_presence(ldap, api):
+
+Verifies that Samba is installed and configured on this particular master.
+If Samba is not available, provide a heplful hint with the list of masters
+capable of running the commands.
+
+
+adtrust_present = api.Command['adtrust_is_enabled']()['result']
+
+hint = _(
+' Alternatively, following servers are capable of running this '
+'command: %(masters)s'
+)
+
+def raise_missing_component_error(message):
+masters_with_adtrust = find_adtrust_masters(ldap, api)
+
+# If there are any masters capable of running Samba requiring commands
+# let's advertise them directly
+if masters_with_adtrust:
+message += hint % dict(masters=', '.join(masters_with_adtrust))
+
+raise errors.NotFound(
+name=_('AD Trust setup'),
+reason=message,
+)
+
+# We're ok in this case, bail out
+if adtrust_present and _bindings_installed:
+return
+
+# First check for packages missing
+elif not _bindings_installed:
+error_message=_(
+'Cannot perform the selected command without Samba 4 support '
+'installed. Make sure you have installed server-trust-ad '
+'sub-package of IPA.'
+)
+
+raise_missing_component_error(error_message)
+
+# Packages present, but ADTRUST instance is not configured
+elif not adtrust_present:
+error_message=_(
+'Cannot perform the selected command without Samba 4 instance '
+'configured on this machine. Make sure you have run '
+'ipa-adtrust-install on this server.'
+)
+
+raise_missing_component_error(error_message)
+
+
def generate_creds(trustinstance, style, **options):
Generate string representing credentials using trust instance
@@ -554,6 +621,10 @@ sides.
has_output_params = LDAPCreate.has_output_params + trust_output_params
def execute(self, *keys, **options):
+ldap = self.obj.backend
+
+verify_samba_component_presence(ldap, self.api)
+
full_join = self.validate_options(*keys, **options)
old_range, range_name, dom_sid = self.validate_range(*keys, **options)
result = self.execute_ad(full_join, *keys, **options)
@@ -569,7 +640,6 @@ sides.
created_range_type = old_range['result']['iparangetype'][0]
trust_filter = cn=%s % result['value']
-ldap = self.obj.backend
(trusts, truncated) = ldap.find_entries(
base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
filter=trust_filter)
@@ -642,16 +712,6 @@ sides.
def validate_options(self, *keys, **options):
