Re: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install
On 2.3.2016 22:15, Martin Štefany wrote: Hi, On St, 2016-03-02 at 17:51 +0100, Martin Basti wrote: On 27.02.2016 21:19, Martin Štefany wrote: Hi, I did as Jan suggested, everything is now a new command 'ipa- sshupdate', (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy- paste), rest is based on ipa-client-install's code. I'm not sure if this is correct, but you might want to change ipa-client-install to just 'import ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how this is compatible with 'code deduplication', 're-usage', etc. Another open point from my side is PEP8 compliance, I've ran the new code through pep8 utility with defaults and it's 'OK'. But so is code in my employer's project and they look slightly 'different', mainly for brackets, strings, etc. Please, have a look to that, too, I'm happy for any guidance. Martin On Št, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: Hi, On 25.2.2016 14:23, Martin Basti wrote: On 22.02.2016 22:13, Martin Štefany wrote: Hi, please, review the attached patch which adds --ssh-update to ipa- client- install. Ticket:https://fedorahosted.org/freeipa/ticket/2655 Hello, thank you for your patch. Please attach a patch as a file next time. I have doubts that this should be part of ipa-client-install, this needs a broader discussion. +1, I think it should be a separate command (ignore my earlier suggestion from Trac to incorporate this into ipa-client-install, I was young and stupid). See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an example of how such a command should be implemented. Code comments inline: --- Martin From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 00:00:00 2001 From: Martin Stefany Date: Mon, 22 Feb 2016 20:58:13 + Subject: [PATCH] Add new parameter --ssh-update to ipa-client- install Add a new parameter '--ssh-update' which can be used later after freeipa client is installed to update SSH hostkeys and SSHFP DNS records for host. https://fedorahosted.org/freeipa/ticket/2655 --- ipa-client/ipa-install/ipa-client-install | 102 +- 1 file changed, 99 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- client/ipa- install/ipa-client-install index 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bdda da89 a3b151 33e398ca50 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 CLIENT_NOT_CONFIGURED = 2 CLIENT_ALREADY_CONFIGURED = 3 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH public keys def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): @@ -215,6 +216,12 @@ def parse_options(): "be run with -- unattended option") parser.add_option_group(uninstall_group) +sshupdate_group = OptionGroup(parser, "SSH key update options") +sshupdate_group.add_option("--ssh-update", dest="ssh_update", + action="store_true", default=False, + help="update local host's SSH public keys in host entry and DNS.") +parser.add_option_group(sshupdate_group) + options, args = parser.parse_args() safe_opts = parser.get_safe_opts(options) @@ -840,6 +847,92 @@ def uninstall(options, env): return rv +def sshupdate(options, env): +if not is_ipa_client_installed(): +root_logger.error("IPA client is not configured on this system.") +return CLIENT_NOT_CONFIGURED + +api.bootstrap(context='cli_installer', debug=options.debug) +api.finalize() +if 'config_loaded' not in api.env: +root_logger.error("Failed to initialize IPA API.") +return CLIENT_SSHUPDATE_ERROR + +# Now, let's try to connect to the server's RPC interface +connected = False +try: +api.Backend.rpcclient.connect() +connected = True +root_logger.debug("Try RPC connection") +api.Backend.rpcclient.forward('ping') +except errors.KerberosError as e: +if connected: +api.Backend.rpcclient.disconnect() +root_logger.info( +"Cannot connect to the server due to Kerberos error: %s. " +"Trying with delegate=True", e) +try: +api.Backend.rpcclient.connect(delegate=True) +root_logger.debug("Try RPC connection") +api.Backend.rpcclient.forward('ping') + +root_logger.info("Connection with delegate=True successful") + +# The remote server is not capable of Kerberos S4U2Proxy +# delegation. This features is implemented in IPA server +# version 2.2 and higher +root_logger.warning( +"Target IPA server has a lower version than the enrolled " +"client") +
Re: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install
Hi, On St, 2016-03-02 at 17:51 +0100, Martin Basti wrote: > > > On 27.02.2016 21:19, Martin Štefany wrote: > > Hi, > > > > I did as Jan suggested, everything is now a new command 'ipa- > > sshupdate', > > (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy- > > paste), > > rest is based on ipa-client-install's code. I'm not sure if this is > > correct, but you might want to change ipa-client-install to just > > 'import > > ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how > > this > > is compatible with 'code deduplication', 're-usage', etc. > > > > Another open point from my side is PEP8 compliance, I've ran the new > > code through pep8 utility with defaults and it's 'OK'. But so is > > code in > > my employer's project and they look slightly 'different', mainly for > > brackets, strings, etc. Please, have a look to that, too, I'm happy > > for > > any guidance. > > > > Martin > > > > On Št, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: > > > Hi, > > > > > > On 25.2.2016 14:23, Martin Basti wrote: > > > > > > > > > > > > On 22.02.2016 22:13, Martin Štefany wrote: > > > > > Hi, > > > > > > > > > > please, review the attached patch which adds --ssh-update to > > > > > ipa- > > > > > client- > > > > > install. > > > > > > > > > > Ticket:https://fedorahosted.org/freeipa/ticket/2655 > > > > Hello, > > > > thank you for your patch. > > > > Please attach a patch as a file next time. > > > > > > > > I have doubts that this should be part of ipa-client-install, > > > > this > > > > needs > > > > a broader discussion. > > > +1, I think it should be a separate command (ignore my earlier > > > suggestion from Trac to incorporate this into ipa-client-install, > > > I > > > was > > > young and stupid). > > > > > > See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an > > > example > > > of how such a command should be implemented. > > > > > > > > > > > Code comments inline: > > > > > > > > > > --- > > > > > Martin > > > > > > > > > > > From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 > > > > > > 00:00:00 2001 > > > > > From: Martin Stefany > > > > > Date: Mon, 22 Feb 2016 20:58:13 + > > > > > Subject: [PATCH] Add new parameter --ssh-update to ipa-client- > > > > > install > > > > > > > > > > Add a new parameter '--ssh-update' which can be used later > > > > > after > > > > > freeipa > > > > > client is installed to update SSH hostkeys and SSHFP DNS > > > > > records > > > > > for > > > > > host. > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/2655 > > > > > --- > > > > > ipa-client/ipa-install/ipa-client-install | 102 > > > > > +- > > > > > 1 file changed, 99 insertions(+), 3 deletions(-) > > > > > > > > > > diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- > > > > > client/ipa- > > > > > install/ipa-client-install > > > > > index > > > > > 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bdda > > > > > da89 > > > > > a3b151 > > > > > 33e398ca50 100755 > > > > > --- a/ipa-client/ipa-install/ipa-client-install > > > > > +++ b/ipa-client/ipa-install/ipa-client-install > > > > > @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 > > > > > CLIENT_NOT_CONFIGURED = 2 > > > > > CLIENT_ALREADY_CONFIGURED = 3 > > > > > CLIENT_UNINSTALL_ERROR = 4 # error after restoring > > > > > files/state > > > > > +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH > > > > > public > > > > > keys > > > > > > > > > > def parse_options(): > > > > > def validate_ca_cert_file_option(option, opt, value, > > > > > parser): > > > > > @@ -215,6 +216,12 @@ def parse_options(): > > > > > "be run with -- > > > > > unattended > > > > > option") > > > > > parser.add_option_group(uninstall_group) > > > > > > > > > > +sshupdate_group = OptionGroup(parser, "SSH key update > > > > > options") > > > > > +sshupdate_group.add_option("--ssh-update", > > > > > dest="ssh_update", > > > > > + action="store_true", default=False, > > > > > + help="update local host's SSH public > > > > > keys > > > > > in host > > > > > entry and DNS.") > > > > > +parser.add_option_group(sshupdate_group) > > > > > + > > > > > options, args = parser.parse_args() > > > > > safe_opts = parser.get_safe_opts(options) > > > > > > > > > > @@ -840,6 +847,92 @@ def uninstall(options, env): > > > > > > > > > > return rv > > > > > > > > > > +def sshupdate(options, env): > > > > > +if not is_ipa_client_installed(): > > > > > +root_logger.error("IPA client is not configured on > > > > > this > > > > > system.") > > > > > +return CLIENT_NOT_CONFIGURED > > > > > + > > > > > +api.bootstrap(context='cli_installer', > > > > > debug=options.debug) > > > > > +api.finalize() > > > > > +if 'config_loaded' not in api.env: > > > > > +root_logger.error("Failed to initialize IPA API.") > > > >
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On Wed, 02 Mar 2016, Sumit Bose wrote: On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote: On Wed, 02 Mar 2016, Petr Vobornik wrote: >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: >>Hi, >> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains >>describes a design page to support name suffixes from trusted Active >>Directory domains. >> >>A prototype code exists (written by me and Sumit) and was tested by Sumit >>against recent releases of SSSD. >> >>Text is provided below for easier commenting. >>- >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >>== Overview == >>User principal name (UPN) in Active Directory is the primary form of >>addressing users. UPN has structure of 'user name@suffix' where both >>user name and suffix parts may vary. By default the suffix is the same >>as the Active Directory domain name but AD administrators may create >>additional name suffixes and associate them with specific users. These >>additional UPNs for users may then be used for Kerberos authentication >>against Active Directory domains. >> >>Alternative UPNs are often used when several companies with Active >>Directory deployments merge and want to provide unified logon namespace. >> >>The purpose of this feature is to allow using alternative UPNs >>associated with the Active Directory users when accessing resources in >>FreeIPA domain. >> >>== Use Cases == >> >>As an Active Directory user, I want to login using my user@EXAMPLE user >>principal name even if my Active Directory domain is named >>REGION.EXAMPLE.COM. >>== Design== >>Support for UPNs is split to three different components: >>;Client-side >>: SSSD already supports logon with UPN by asking a KDC to accept >>enterprise logon names. By default, the use of enterprise principals is >>disabled, therefore, krb5_use_enterprise_principal = True >>needs to be added to sssd.conf to enable it. >> >>;KDC >>: IPA KDC does understand multiple domains associated with the trusted >>AD forest. However, since no information about name suffixes associated >>with the forest is available, it cannot take them into account when >>processing enteprise logon names to issue referrals to the correct >>realm. Support needs to be added to allow IPA KDC to look up name >>suffixes associated with a trusted forest. >> >>; IPA framework >>: Changes needed on IPA framework side to fetch from Active Directory a >>list of name suffixes and store them in the trusted domain objects. >> >>== Implementation == >>For retrieving name suffixes, IPA framework needs to move to use >>NETLOGON netr_DsRGetForestTrustInformation function instead of >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and >>top level names associated with the forest. >> >>As top level names (TLNs) have only a single string as a name suffix, >>they cannot be stored as trusted domains (they lack SID and NetBIOS >>name). Thus, either IPA KDB driver needs to be extended to understand >>trusted domains without SID and NetBIOS name, or TLNs need to be stored >>as a property of tree root domains of the forest. >> >>== Feature Management == >> >>=== UI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate panel needs to be extended to display them. >> >>=== CLI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate attribute need to be handled by '''trust-show''' command. If >>TLNs represented as separate 'trusted domains' of the trusted forest, no >>work is needed on CLI other than being able to support 'trusted domains' >>without SID and NetBIOS name. > >What is meant by 'tree root domains of the forest' in IPA context? The >trust object? Yes. A forest might have multiple tree roots. We establish trust with one of them (forest root domain) but you can have distinct tree roots too. For a forest example.com a separate tree root could be ad.test which is still a part of the forest. In Windows' UI for domains and forests trust you'll see it as a separate entry at the top level. Each tree root may have associated name suffixes. But I thought they still can be used across the whole forest, e.g. if you assign an alternative domain suffix in the UI of ad.test you can use this suffix for users from example.com as well? That's something I need to test. It seems like that, though, from what I remember... -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On Wed, 02 Mar 2016, Simo Sorce wrote: On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote: On Wed, 02 Mar 2016, Petr Vobornik wrote: >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: >>Hi, >> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains >>describes a design page to support name suffixes from trusted Active >>Directory domains. >> >>A prototype code exists (written by me and Sumit) and was tested by Sumit >>against recent releases of SSSD. >> >>Text is provided below for easier commenting. >>- >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >>== Overview == >>User principal name (UPN) in Active Directory is the primary form of >>addressing users. UPN has structure of 'user name@suffix' where both >>user name and suffix parts may vary. By default the suffix is the same >>as the Active Directory domain name but AD administrators may create >>additional name suffixes and associate them with specific users. These >>additional UPNs for users may then be used for Kerberos authentication >>against Active Directory domains. >> >>Alternative UPNs are often used when several companies with Active >>Directory deployments merge and want to provide unified logon namespace. >> >>The purpose of this feature is to allow using alternative UPNs >>associated with the Active Directory users when accessing resources in >>FreeIPA domain. >> >>== Use Cases == >> >>As an Active Directory user, I want to login using my user@EXAMPLE user >>principal name even if my Active Directory domain is named >>REGION.EXAMPLE.COM. >>== Design== >>Support for UPNs is split to three different components: >>;Client-side >>: SSSD already supports logon with UPN by asking a KDC to accept >>enterprise logon names. By default, the use of enterprise principals is >>disabled, therefore, krb5_use_enterprise_principal = True >>needs to be added to sssd.conf to enable it. >> >>;KDC >>: IPA KDC does understand multiple domains associated with the trusted >>AD forest. However, since no information about name suffixes associated >>with the forest is available, it cannot take them into account when >>processing enteprise logon names to issue referrals to the correct >>realm. Support needs to be added to allow IPA KDC to look up name >>suffixes associated with a trusted forest. >> >>; IPA framework >>: Changes needed on IPA framework side to fetch from Active Directory a >>list of name suffixes and store them in the trusted domain objects. >> >>== Implementation == >>For retrieving name suffixes, IPA framework needs to move to use >>NETLOGON netr_DsRGetForestTrustInformation function instead of >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and >>top level names associated with the forest. >> >>As top level names (TLNs) have only a single string as a name suffix, >>they cannot be stored as trusted domains (they lack SID and NetBIOS >>name). Thus, either IPA KDB driver needs to be extended to understand >>trusted domains without SID and NetBIOS name, or TLNs need to be stored >>as a property of tree root domains of the forest. >> >>== Feature Management == >> >>=== UI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate panel needs to be extended to display them. >> >>=== CLI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate attribute need to be handled by '''trust-show''' command. If >>TLNs represented as separate 'trusted domains' of the trusted forest, no >>work is needed on CLI other than being able to support 'trusted domains' >>without SID and NetBIOS name. > >What is meant by 'tree root domains of the forest' in IPA context? The >trust object? Yes. A forest might have multiple tree roots. We establish trust with one of them (forest root domain) but you can have distinct tree roots too. For a forest example.com a separate tree root could be ad.test which is still a part of the forest. In Windows' UI for domains and forests trust you'll see it as a separate entry at the top level. Each tree root may have associated name suffixes. There are actually two different approaches we discussed with Sumit -- one is to store TLNs as attributes of TDO, another is to create separate TDOs, building on the fact you noticed: >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid >attributes as optional so it is possible to store it there assuming >modification of KDB driver. This is what I did already in the prototype: https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch So we are sure that either way would work, the question is what would be more usable UX-wise. How does Windows represent them ? Weirdly. I'd try to stick to something close to what AD does to avoid pain if later is found that the way Windows does things is necessary (or just easier) to keep adding further options down the road. See following
Re: [Freeipa-devel] External trust to AD
On Wed, 02 Mar 2016, Petr Vobornik wrote: On 03/02/2016 11:13 AM, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V4/External_trust_to_AD documents a design for external trust to AD feature. The text is included below for easier review. --- {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == Support for external trust to a domain from Active Directory forest An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest. == Use Cases == As an Active Directory domain admin, I want to establish trust between IPA and my domain only. The trust between IPA and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources. == Design== External trust between Active Directory domains is by definition non-transitive and enforces SID filtering between the domain boundaries. This means only users and groups with SIDs from the trusted domain can use the resources and be visible on IPA systems. None of other users and groups from domains the trusted domain trusts within its own Active Directory forest or other externally trusted domains will be allowed to access IPA resources. == Implementation == External trust feature re-uses existing forest trust infrastructure. There are several specific changes to allow supporting external trust: * '''Non-transitivity''': since external trust is non-transitive by * definition, any attempt to set transitivity feature of the trust link * with LSA SetInformationTrustedDomain() command will fail. Thus, there * is no need to set transitivity for the external trust. Sounds very simple :) Do I get it right that it is possible to do it today? Because now the code just do: root_logger.error('unable to set trust to transitive: %s' % (str(e))) pass I have a patchset to add this support already. I want to clean up some parts of it, namely, reporting of the resulting trust type, but it all works. * '''Trust attributes''': external trust can be detected by looking into * absense of ipaNTTrustAttributes LDAP attribute of the trusted domain * object. == Feature Management == === UI === An option 'external trust' needs to be added to Web UI, corresponding to '--external' flag in 'trust-add' command in CLI. === CLI === An external trust creation can be requested by passing additional flag '--external=true' to the 'trust-add' command. The flag defaults to 'false', e.g. no external trust would be created. {| class="wikitable" |- ! Command ! Options |- | trust-add | --external=true/false |} We should also add 'external' param to output of trust_find and trust_show + corresponding change in Web UI and CLI. It will be part of trust type string, not a separate param. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, Petr Vobornik wrote: > >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > >>Hi, > >> > >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > >>describes a design page to support name suffixes from trusted Active > >>Directory domains. > >> > >>A prototype code exists (written by me and Sumit) and was tested by Sumit > >>against recent releases of SSSD. > >> > >>Text is provided below for easier commenting. > >>- > >>{{Feature|version=TODO|ticket=TODO|author=Ab}} > >> > >>== Overview == > >>User principal name (UPN) in Active Directory is the primary form of > >>addressing users. UPN has structure of 'user name@suffix' where both > >>user name and suffix parts may vary. By default the suffix is the same > >>as the Active Directory domain name but AD administrators may create > >>additional name suffixes and associate them with specific users. These > >>additional UPNs for users may then be used for Kerberos authentication > >>against Active Directory domains. > >> > >>Alternative UPNs are often used when several companies with Active > >>Directory deployments merge and want to provide unified logon namespace. > >> > >>The purpose of this feature is to allow using alternative UPNs > >>associated with the Active Directory users when accessing resources in > >>FreeIPA domain. > >> > >>== Use Cases == > >> > >>As an Active Directory user, I want to login using my user@EXAMPLE user > >>principal name even if my Active Directory domain is named > >>REGION.EXAMPLE.COM. > >>== Design== > >>Support for UPNs is split to three different components: > >>;Client-side > >>: SSSD already supports logon with UPN by asking a KDC to accept > >>enterprise logon names. By default, the use of enterprise principals is > >>disabled, therefore, krb5_use_enterprise_principal = True > >>needs to be added to sssd.conf to enable it. > >> > >>;KDC > >>: IPA KDC does understand multiple domains associated with the trusted > >>AD forest. However, since no information about name suffixes associated > >>with the forest is available, it cannot take them into account when > >>processing enteprise logon names to issue referrals to the correct > >>realm. Support needs to be added to allow IPA KDC to look up name > >>suffixes associated with a trusted forest. > >> > >>; IPA framework > >>: Changes needed on IPA framework side to fetch from Active Directory a > >>list of name suffixes and store them in the trusted domain objects. > >> > >>== Implementation == > >>For retrieving name suffixes, IPA framework needs to move to use > >>NETLOGON netr_DsRGetForestTrustInformation function instead of > >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > >>top level names associated with the forest. > >> > >>As top level names (TLNs) have only a single string as a name suffix, > >>they cannot be stored as trusted domains (they lack SID and NetBIOS > >>name). Thus, either IPA KDB driver needs to be extended to understand > >>trusted domains without SID and NetBIOS name, or TLNs need to be stored > >>as a property of tree root domains of the forest. > >> > >>== Feature Management == > >> > >>=== UI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate panel needs to be extended to display them. > >> > >>=== CLI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate attribute need to be handled by '''trust-show''' command. If > >>TLNs represented as separate 'trusted domains' of the trusted forest, no > >>work is needed on CLI other than being able to support 'trusted domains' > >>without SID and NetBIOS name. > > > >What is meant by 'tree root domains of the forest' in IPA context? The > >trust object? > Yes. A forest might have multiple tree roots. We establish trust with > one of them (forest root domain) but you can have distinct tree roots > too. For a forest example.com a separate tree root could be ad.test > which is still a part of the forest. In Windows' UI for domains and > forests trust you'll see it as a separate entry at the top level. Each > tree root may have associated name suffixes. > > There are actually two different approaches we discussed with Sumit > -- one is to store TLNs as attributes of TDO, another is to create > separate TDOs, building on the fact you noticed: > >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > >attributes as optional so it is possible to store it there assuming > >modification of KDB driver. > This is what I did already in the prototype: > https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch > > So we are sure that either way would work, the question is what would be > more usable UX-wise. How does Windows represent them ? I'd try to stick to something close to what AD does to
Re: [Freeipa-devel] [PATCH 0429] fix suspicious except statement
On 02.03.2016 17:17, Martin Basti wrote: Patch attached, read commit message for more info. https://fedorahosted.org/freeipa/ticket/5718 Updated patch attached. From a4d22716232dd7eaf39fa13df0f857d5d288d5ac Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 2 Mar 2016 17:13:27 +0100 Subject: [PATCH] fix suspicious except statements The "except ValueError as UnicodeDecodeError" looks very suspicious. Commit change except to catch both exceptions. https://fedorahosted.org/freeipa/ticket/5718 --- client/ipa-client-install | 2 +- ipalib/util.py| 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 1e611244593b4db88beacfdeb47e92faae24132e..44ddeb956dfd6928317d50309aea42d8eb9e2de0 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1798,7 +1798,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): continue try: pubkey = SSHPublicKey(line) -except ValueError as UnicodeDecodeError: +except (ValueError, UnicodeDecodeError): continue root_logger.info("Adding SSH public key from %s", filename) pubkeys.append(pubkey) diff --git a/ipalib/util.py b/ipalib/util.py index 6c70fbdfcb1f936468101dd2e5ed726ec614a893..262acf926e73ba1521faa151154e2149875be4b7 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -278,13 +278,13 @@ def normalize_sshpubkey(value): def validate_sshpubkey(ugettext, value): try: SSHPublicKey(value) -except ValueError as UnicodeDecodeError: +except (ValueError, UnicodeDecodeError): return _('invalid SSH public key') def validate_sshpubkey_no_options(ugettext, value): try: pubkey = SSHPublicKey(value) -except ValueError as UnicodeDecodeError: +except (ValueError, UnicodeDecodeError): return _('invalid SSH public key') if pubkey.has_options(): @@ -304,7 +304,7 @@ def convert_sshpubkey_post(ldap, dn, entry_attrs): for pubkey in pubkeys: try: pubkey = SSHPublicKey(pubkey) -except ValueError as UnicodeDecodeError: +except (ValueError, UnicodeDecodeError): continue fp = pubkey.fingerprint_hex_md5() -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install
On 27.02.2016 21:19, Martin Štefany wrote: Hi, I did as Jan suggested, everything is now a new command 'ipa-sshupdate', (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy-paste), rest is based on ipa-client-install's code. I'm not sure if this is correct, but you might want to change ipa-client-install to just 'import ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how this is compatible with 'code deduplication', 're-usage', etc. Another open point from my side is PEP8 compliance, I've ran the new code through pep8 utility with defaults and it's 'OK'. But so is code in my employer's project and they look slightly 'different', mainly for brackets, strings, etc. Please, have a look to that, too, I'm happy for any guidance. Martin On Št, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: Hi, On 25.2.2016 14:23, Martin Basti wrote: On 22.02.2016 22:13, Martin Štefany wrote: Hi, please, review the attached patch which adds --ssh-update to ipa- client- install. Ticket:https://fedorahosted.org/freeipa/ticket/2655 Hello, thank you for your patch. Please attach a patch as a file next time. I have doubts that this should be part of ipa-client-install, this needs a broader discussion. +1, I think it should be a separate command (ignore my earlier suggestion from Trac to incorporate this into ipa-client-install, I was young and stupid). See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an example of how such a command should be implemented. Code comments inline: --- Martin From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 00:00:00 2001 From: Martin Stefany Date: Mon, 22 Feb 2016 20:58:13 + Subject: [PATCH] Add new parameter --ssh-update to ipa-client- install Add a new parameter '--ssh-update' which can be used later after freeipa client is installed to update SSH hostkeys and SSHFP DNS records for host. https://fedorahosted.org/freeipa/ticket/2655 --- ipa-client/ipa-install/ipa-client-install | 102 +- 1 file changed, 99 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- client/ipa- install/ipa-client-install index 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bddada89 a3b151 33e398ca50 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 CLIENT_NOT_CONFIGURED = 2 CLIENT_ALREADY_CONFIGURED = 3 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH public keys def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): @@ -215,6 +216,12 @@ def parse_options(): "be run with -- unattended option") parser.add_option_group(uninstall_group) +sshupdate_group = OptionGroup(parser, "SSH key update options") +sshupdate_group.add_option("--ssh-update", dest="ssh_update", + action="store_true", default=False, + help="update local host's SSH public keys in host entry and DNS.") +parser.add_option_group(sshupdate_group) + options, args = parser.parse_args() safe_opts = parser.get_safe_opts(options) @@ -840,6 +847,92 @@ def uninstall(options, env): return rv +def sshupdate(options, env): +if not is_ipa_client_installed(): +root_logger.error("IPA client is not configured on this system.") +return CLIENT_NOT_CONFIGURED + +api.bootstrap(context='cli_installer', debug=options.debug) +api.finalize() +if 'config_loaded' not in api.env: +root_logger.error("Failed to initialize IPA API.") +return CLIENT_SSHUPDATE_ERROR + +# Now, let's try to connect to the server's RPC interface +connected = False +try: +api.Backend.rpcclient.connect() +connected = True +root_logger.debug("Try RPC connection") +api.Backend.rpcclient.forward('ping') +except errors.KerberosError as e: +if connected: +api.Backend.rpcclient.disconnect() +root_logger.info( +"Cannot connect to the server due to Kerberos error: %s. " +"Trying with delegate=True", e) +try: +api.Backend.rpcclient.connect(delegate=True) +root_logger.debug("Try RPC connection") +api.Backend.rpcclient.forward('ping') + +root_logger.info("Connection with delegate=True successful") + +# The remote server is not capable of Kerberos S4U2Proxy +# delegation. This features is implemented in IPA server +# version 2.2 and higher +root_logger.warning( +"Target IPA server has a lower version than the enrolled " +"client") +root_logger.warning( +"Some capabilities including the ipa command capability " +
[Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys
Patch attached, see commit message for details From 630dee2536106cbda7b49345733f37cfd8834f08 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 2 Mar 2016 17:26:33 +0100 Subject: [PATCH] Remove unused arguments from update_ssh_keys method First argumet has been unused and can be safely removed, because server is not used for nsupdate anymore --- client/ipa-client-install | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 44ddeb956dfd6928317d50309aea42d8eb9e2de0..48c325f53c295a5e30a9a59f357f8561d9875400 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1776,7 +1776,8 @@ def check_ip_addresses(options): return False return True -def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): + +def update_ssh_keys(hostname, ssh_dir, create_sshfp): if not os.path.isdir(ssh_dir): return @@ -2887,7 +2888,8 @@ def install(options, env, fstore, statestore): configure_certmonger(fstore, subject_base, cli_realm, hostname, options, ca_enabled) -update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp) +update_ssh_keys(hostname, services.knownservices.sshd.get_config_dir(), +options.create_sshfp) try: os.remove(CCACHE_FILE) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0429] fix suspicious except statement
Patch attached, read commit message for more info. From 2346845810137b7a844747ad75ee6e626d45d84e Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 2 Mar 2016 17:13:27 +0100 Subject: [PATCH] fix suspicious except statement in update_ssh_key The "except ValueError as UnicodeDecodeError" looks very suspicious. Commit change except to catch both exceptions. --- client/ipa-client-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 1e611244593b4db88beacfdeb47e92faae24132e..44ddeb956dfd6928317d50309aea42d8eb9e2de0 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1798,7 +1798,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): continue try: pubkey = SSHPublicKey(line) -except ValueError as UnicodeDecodeError: +except (ValueError, UnicodeDecodeError): continue root_logger.info("Adding SSH public key from %s", filename) pubkeys.append(pubkey) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker
On 28.01.2016 10:45, Filip Skola wrote: - Original Message - On 01/18/2016 02:26 PM, Filip Skola wrote: Hi, this should be fixed in this patch. F. - Original Message - On 01/15/2016 03:37 PM, Filip Skola wrote: Hi, sending rebased patch. F. - Original Message - Hi, the patch no longer applies to master. Please rebase it. Thanks, Milan - Original Message - From: "Filip Skola"To: freeipa-devel@redhat.com Cc: "Milan Kubík" , "Aleš Mareček" Sent: Tuesday, 22 December, 2015 11:56:15 AM Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker Hi, another patch from refactoring-test_xmlrpc series. Filip NACK, something seems to be missing in the patch * Module ipatests.test_xmlrpc.tracker.hostgroup_plugin ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), HostGroupTracker.check_add_member_negative] Instance of 'HostGroupTracker' has no 'adds' member) -- Milan Kubik The same as with patch 0002: * Module ipatests.test_xmlrpc.tracker.hostgroup_plugin W:142,26: Calling a dict.iter*() method (dict-iter-method) Please use dict.items method. -- Milan Kubik Hi, attaching a fixed patch. This patch is dependent on updated group plugin test patch 0002-7. Filip Bump for review -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled
On 28.01.2016 16:25, Petr Vobornik wrote: On 01/28/2016 04:23 PM, Tomas Babej wrote: On 01/28/2016 04:15 PM, Petr Vobornik wrote: Reworks also sessionStorage test because disablement of cookies might be connected with sessionStorage and localStorage. E.g. Chrome raises exception when *Storage is accessed with "Block sites from setting any data" settings set in "Content Settings/Cookies" section. https://fedorahosted.org/freeipa/ticket/4338 Seems that two spaces inserted themselves to the error message for localStorage :) updated patch attached. Bump for review -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class
On 28.01.2016 17:32, Martin Babinsky wrote: On 01/28/2016 05:06 PM, Tomas Babej wrote: On 01/28/2016 04:44 PM, Martin Babinsky wrote: On 01/28/2016 03:20 PM, Tomas Babej wrote: On 01/27/2016 03:58 PM, Martin Babinsky wrote: On 01/18/2016 06:43 PM, Martin Babinsky wrote: A little patch that should make some future pylint errors disappear. Attaching updated patch that does not promote direct molestation of instance dictionaries. Patch looks good, one thing I am concerened about though is that __todict__ now returns a direct reference to the internal, mutable dict, and no longer a (shallow) copy. Maybe we should use dict.copy() there? Tomas Ah I didn't realize that. Fixed in updated patch. Nitpick: Sorry for being misleading - I did not mean to suggest invoking the method using the dict type directly. While being equivalent, the dict.copy(self.__options) it's less idiomatic than: self.__options.copy() Tomas Ah sorry I forgot how to python again. Attaching patch. Bump for review -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0422] CI: allow customized DS install test to run under different domain levels
On 24.02.2016 19:01, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5606 Patch attached. Bump for review -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI
On 01.03.2016 14:50, Martin Babinsky wrote: On 02/29/2016 05:37 PM, thierry bordaz wrote: On 02/26/2016 05:48 PM, Martin Babinsky wrote: On 02/26/2016 04:24 PM, thierry bordaz wrote: On 02/25/2016 07:17 PM, thierry bordaz wrote: On 02/25/2016 12:03 PM, Martin Babinsky wrote: On 02/24/2016 04:30 PM, thierry bordaz wrote: On 01/21/2016 05:04 PM, Martin Babinsky wrote: On 01/21/2016 01:37 PM, thierry bordaz wrote: Hi Thierry, I have couple of comments to your patch: 1.) there is a number of PEP8 errors in the patch (http://paste.fedoraproject.org/313246/33893701), please fix them. See http://www.freeipa.org/page/Python_Coding_Style for our conventions used in Python code. 2.) +DNA_BIND_METHOD = "dnaRemoteBindMethod" +DNA_CONN_PROTOCOL = "dnaRemoteConnProtocol" +DNA_PLUGIN_DN = 'cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' +dna_config_base = 'cn=Posix IDs,%s' % DNA_PLUGIN_DN Uppercase names are usually reserved for module-level constants. OTOH, local variables should be lowercase. Also you can instantiate dna_config_base directly as DN, using 2-member tuples, i. e: """ dna_config_base = DN(('cn', 'posix IDs'), ('cn', 'Distributed Numeric Assignment Plugin'), ('cn', 'plugins'), ('cn', 'config')) """ When passing DN object to the formatting functions/operators, it is automatically converted to string so no need to hold string and DN object separately. This is done in other places (see function/methods in replication.py). 3.) +for i in range(len(entries)) : + +mod = [] +if entries[i].single_value.get(DNA_BIND_METHOD) != method: +mod.append((ldap.MOD_REPLACE, DNA_BIND_METHOD, method)) + +if entries[i].single_value.get(DNA_CONN_PROTOCOL) != protocol: +mod.append((ldap.MOD_REPLACE, DNA_CONN_PROTOCOL, protocol)) please use idiomatic Python when handling list of entries, e.g.: """ for entry in entries: mod = [] if entry.single_value.get(DNA_BIND_METHOD) != method: ... """ 4.) I think that this method should in DSInstance class since it deals with directory server configuration. Service is a parent object of all other service installers/configurators and should contain only methods common to more children. 5.) Since the method is called from every installer, it could be beneficial to call it in DSInstance.__common_post_setup() as a part of Directory server installation. Is there any reason why this is not the case? 6.) +while attempt != MAX_WAIT: +try: +entries = conn.get_entries(sharedcfgdn, scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) +break +except errors.NotFound: +root_logger.debug("So far enable not find DNA shared config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, sharedcfgdn)) +attempt = attempt + 1 +time.sleep(2) +continue + +# safety checking +# there is no return, if there are several entries, as a workaround of #5510 +if len(entries) != 1: I am quite afraid what would happen if the server does not return any entries until 30 s timeout. The code will then continue to the condition which can potentially test an uninitialized variable and blow up with 'NameError'. This should be handled more robustly, e. g. raise an exception when a timeout is reached and no entries were returned. 7.) +if len(mod) > 0: A Pythonic way to test for non-empty container is """ if mods: # do stuff """ since an empty list/dict/set evaluates to False and non-empty containers are True. 8.) +entry = conn.get_entry(entries[i].dn) +if entry.single_value.get(DNA_BIND_METHOD) != method: +root_logger.error("Fail to set SASL/GSSAPI bind method to %s" % (entries[i].dn)) +if entry.single_value.get(DNA_CONN_PROTOCOL) != protocol: +root_logger.error("Fail to set LDAP protocol to %s" % (entries[i].dn)) rather than re-fetching the modified entry and testing what happened, you can just catch an exception raised by unsuccessfull mod and log an error like this: """ try: conn.modify_s(entry.dn, mod) except Exception as e: root_logger.error("Failed to modify entry {}: {}".format(entry, e)) """ as a matter of fact, if the modify_s operation would fail for some reason, an ldap exception would be raised and you checks would not even be executed. 9.) The debug message on line 219 should read "Unable to find DNA shared config entry for dnaHostname=%s so far. Retry in 2 sec.". The errors at the end of the method should have "Failed" instead of "Fail". Hi Martin, Finally tested... here is the updated patch. Thanks for you patience thanks thierry Hi Thierry, the patch works as expected. I have some more nitpicks though: 1.) Please fix the following pep8 errors:
Re: [Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095
On 01.03.2016 15:22, Milan Kubík wrote: On 02/19/2016 02:11 PM, Oleg Fayans wrote: Hi Milan, On 02/12/2016 04:03 PM, Milan Kubík wrote: Agreed. The latest patch gets rid of all resolv.conf related manipulations. The tests work (where not affected by https://fedorahosted.org/bind-dyndb-ldap/ticket/160) -- Milan Kubik Works for me, tested on sudo test that requires autodiscovery. ACK Pushed to: ipa-4-3: a8f53296f633a8c2a0f6a041dd1d4bec854d206e master: cfbb7769a70f4cac4bb6d6b7fe36116b43c830e7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, Petr Vobornik wrote: > >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > >>Hi, > >> > >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > >>describes a design page to support name suffixes from trusted Active > >>Directory domains. > >> > >>A prototype code exists (written by me and Sumit) and was tested by Sumit > >>against recent releases of SSSD. > >> > >>Text is provided below for easier commenting. > >>- > >>{{Feature|version=TODO|ticket=TODO|author=Ab}} > >> > >>== Overview == > >>User principal name (UPN) in Active Directory is the primary form of > >>addressing users. UPN has structure of 'user name@suffix' where both > >>user name and suffix parts may vary. By default the suffix is the same > >>as the Active Directory domain name but AD administrators may create > >>additional name suffixes and associate them with specific users. These > >>additional UPNs for users may then be used for Kerberos authentication > >>against Active Directory domains. > >> > >>Alternative UPNs are often used when several companies with Active > >>Directory deployments merge and want to provide unified logon namespace. > >> > >>The purpose of this feature is to allow using alternative UPNs > >>associated with the Active Directory users when accessing resources in > >>FreeIPA domain. > >> > >>== Use Cases == > >> > >>As an Active Directory user, I want to login using my user@EXAMPLE user > >>principal name even if my Active Directory domain is named > >>REGION.EXAMPLE.COM. > >>== Design== > >>Support for UPNs is split to three different components: > >>;Client-side > >>: SSSD already supports logon with UPN by asking a KDC to accept > >>enterprise logon names. By default, the use of enterprise principals is > >>disabled, therefore, krb5_use_enterprise_principal = True > >>needs to be added to sssd.conf to enable it. > >> > >>;KDC > >>: IPA KDC does understand multiple domains associated with the trusted > >>AD forest. However, since no information about name suffixes associated > >>with the forest is available, it cannot take them into account when > >>processing enteprise logon names to issue referrals to the correct > >>realm. Support needs to be added to allow IPA KDC to look up name > >>suffixes associated with a trusted forest. > >> > >>; IPA framework > >>: Changes needed on IPA framework side to fetch from Active Directory a > >>list of name suffixes and store them in the trusted domain objects. > >> > >>== Implementation == > >>For retrieving name suffixes, IPA framework needs to move to use > >>NETLOGON netr_DsRGetForestTrustInformation function instead of > >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > >>top level names associated with the forest. > >> > >>As top level names (TLNs) have only a single string as a name suffix, > >>they cannot be stored as trusted domains (they lack SID and NetBIOS > >>name). Thus, either IPA KDB driver needs to be extended to understand > >>trusted domains without SID and NetBIOS name, or TLNs need to be stored > >>as a property of tree root domains of the forest. > >> > >>== Feature Management == > >> > >>=== UI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate panel needs to be extended to display them. > >> > >>=== CLI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate attribute need to be handled by '''trust-show''' command. If > >>TLNs represented as separate 'trusted domains' of the trusted forest, no > >>work is needed on CLI other than being able to support 'trusted domains' > >>without SID and NetBIOS name. > > > >What is meant by 'tree root domains of the forest' in IPA context? The > >trust object? > Yes. A forest might have multiple tree roots. We establish trust with > one of them (forest root domain) but you can have distinct tree roots > too. For a forest example.com a separate tree root could be ad.test > which is still a part of the forest. In Windows' UI for domains and > forests trust you'll see it as a separate entry at the top level. Each > tree root may have associated name suffixes. But I thought they still can be used across the whole forest, e.g. if you assign an alternative domain suffix in the UI of ad.test you can use this suffix for users from example.com as well? bye, Sumit > > There are actually two different approaches we discussed with Sumit > -- one is to store TLNs as attributes of TDO, another is to create > separate TDOs, building on the fact you noticed: > >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > >attributes as optional so it is possible to store it there assuming > >modification of KDB driver. > This is what I did already in the prototype: >
Re: [Freeipa-devel] External trust to AD
On 03/02/2016 11:13 AM, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V4/External_trust_to_AD documents a design for external trust to AD feature. The text is included below for easier review. --- {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == Support for external trust to a domain from Active Directory forest An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest. == Use Cases == As an Active Directory domain admin, I want to establish trust between IPA and my domain only. The trust between IPA and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources. == Design== External trust between Active Directory domains is by definition non-transitive and enforces SID filtering between the domain boundaries. This means only users and groups with SIDs from the trusted domain can use the resources and be visible on IPA systems. None of other users and groups from domains the trusted domain trusts within its own Active Directory forest or other externally trusted domains will be allowed to access IPA resources. == Implementation == External trust feature re-uses existing forest trust infrastructure. There are several specific changes to allow supporting external trust: * '''Non-transitivity''': since external trust is non-transitive by * definition, any attempt to set transitivity feature of the trust link * with LSA SetInformationTrustedDomain() command will fail. Thus, there * is no need to set transitivity for the external trust. Sounds very simple :) Do I get it right that it is possible to do it today? Because now the code just do: root_logger.error('unable to set trust to transitive: %s' % (str(e))) pass * '''Trust attributes''': external trust can be detected by looking into * absense of ipaNTTrustAttributes LDAP attribute of the trusted domain * object. == Feature Management == === UI === An option 'external trust' needs to be added to Web UI, corresponding to '--external' flag in 'trust-add' command in CLI. === CLI === An external trust creation can be requested by passing additional flag '--external=true' to the 'trust-add' command. The flag defaults to 'false', e.g. no external trust would be created. {| class="wikitable" |- ! Command ! Options |- | trust-add | --external=true/false |} We should also add 'external' param to output of trust_find and trust_show + corresponding change in Web UI and CLI. === Configuration === No configuration options needed. == Upgrade == No changes on upgrades. The trust properties are only set up at trust creation time. == How to Test == In order to test the external trust, attempt to create a trust to non-root domain in an Active Directory forest. It should fail without '--external=true' option and should be able to establish the external trust with '--external=true' option to 'trust-add' command. A type of the trust can be seen with 'trust-show' command. == Test Plan == --- -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On Wed, 02 Mar 2016, Petr Vobornik wrote: On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains describes a design page to support name suffixes from trusted Active Directory domains. A prototype code exists (written by me and Sumit) and was tested by Sumit against recent releases of SSSD. Text is provided below for easier commenting. - {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == User principal name (UPN) in Active Directory is the primary form of addressing users. UPN has structure of 'user name@suffix' where both user name and suffix parts may vary. By default the suffix is the same as the Active Directory domain name but AD administrators may create additional name suffixes and associate them with specific users. These additional UPNs for users may then be used for Kerberos authentication against Active Directory domains. Alternative UPNs are often used when several companies with Active Directory deployments merge and want to provide unified logon namespace. The purpose of this feature is to allow using alternative UPNs associated with the Active Directory users when accessing resources in FreeIPA domain. == Use Cases == As an Active Directory user, I want to login using my user@EXAMPLE user principal name even if my Active Directory domain is named REGION.EXAMPLE.COM. == Design== Support for UPNs is split to three different components: ;Client-side : SSSD already supports logon with UPN by asking a KDC to accept enterprise logon names. By default, the use of enterprise principals is disabled, therefore, krb5_use_enterprise_principal = True needs to be added to sssd.conf to enable it. ;KDC : IPA KDC does understand multiple domains associated with the trusted AD forest. However, since no information about name suffixes associated with the forest is available, it cannot take them into account when processing enteprise logon names to issue referrals to the correct realm. Support needs to be added to allow IPA KDC to look up name suffixes associated with a trusted forest. ; IPA framework : Changes needed on IPA framework side to fetch from Active Directory a list of name suffixes and store them in the trusted domain objects. == Implementation == For retrieving name suffixes, IPA framework needs to move to use NETLOGON netr_DsRGetForestTrustInformation function instead of netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and top level names associated with the forest. As top level names (TLNs) have only a single string as a name suffix, they cannot be stored as trusted domains (they lack SID and NetBIOS name). Thus, either IPA KDB driver needs to be extended to understand trusted domains without SID and NetBIOS name, or TLNs need to be stored as a property of tree root domains of the forest. == Feature Management == === UI === If TLNs are added as a property of tree root domains of the forest, appropriate panel needs to be extended to display them. === CLI === If TLNs are added as a property of tree root domains of the forest, appropriate attribute need to be handled by '''trust-show''' command. If TLNs represented as separate 'trusted domains' of the trusted forest, no work is needed on CLI other than being able to support 'trusted domains' without SID and NetBIOS name. What is meant by 'tree root domains of the forest' in IPA context? The trust object? Yes. A forest might have multiple tree roots. We establish trust with one of them (forest root domain) but you can have distinct tree roots too. For a forest example.com a separate tree root could be ad.test which is still a part of the forest. In Windows' UI for domains and forests trust you'll see it as a separate entry at the top level. Each tree root may have associated name suffixes. There are actually two different approaches we discussed with Sumit -- one is to store TLNs as attributes of TDO, another is to create separate TDOs, building on the fact you noticed: Btw trustdomain object has ipantflatname and ipanttrusteddomainsid attributes as optional so it is possible to store it there assuming modification of KDB driver. This is what I did already in the prototype: https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch So we are sure that either way would work, the question is what would be more usable UX-wise. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Supporting UPNs of trusted forests
On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains describes a design page to support name suffixes from trusted Active Directory domains. A prototype code exists (written by me and Sumit) and was tested by Sumit against recent releases of SSSD. Text is provided below for easier commenting. - {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == User principal name (UPN) in Active Directory is the primary form of addressing users. UPN has structure of 'user name@suffix' where both user name and suffix parts may vary. By default the suffix is the same as the Active Directory domain name but AD administrators may create additional name suffixes and associate them with specific users. These additional UPNs for users may then be used for Kerberos authentication against Active Directory domains. Alternative UPNs are often used when several companies with Active Directory deployments merge and want to provide unified logon namespace. The purpose of this feature is to allow using alternative UPNs associated with the Active Directory users when accessing resources in FreeIPA domain. == Use Cases == As an Active Directory user, I want to login using my user@EXAMPLE user principal name even if my Active Directory domain is named REGION.EXAMPLE.COM. == Design== Support for UPNs is split to three different components: ;Client-side : SSSD already supports logon with UPN by asking a KDC to accept enterprise logon names. By default, the use of enterprise principals is disabled, therefore, krb5_use_enterprise_principal = True needs to be added to sssd.conf to enable it. ;KDC : IPA KDC does understand multiple domains associated with the trusted AD forest. However, since no information about name suffixes associated with the forest is available, it cannot take them into account when processing enteprise logon names to issue referrals to the correct realm. Support needs to be added to allow IPA KDC to look up name suffixes associated with a trusted forest. ; IPA framework : Changes needed on IPA framework side to fetch from Active Directory a list of name suffixes and store them in the trusted domain objects. == Implementation == For retrieving name suffixes, IPA framework needs to move to use NETLOGON netr_DsRGetForestTrustInformation function instead of netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and top level names associated with the forest. As top level names (TLNs) have only a single string as a name suffix, they cannot be stored as trusted domains (they lack SID and NetBIOS name). Thus, either IPA KDB driver needs to be extended to understand trusted domains without SID and NetBIOS name, or TLNs need to be stored as a property of tree root domains of the forest. == Feature Management == === UI === If TLNs are added as a property of tree root domains of the forest, appropriate panel needs to be extended to display them. === CLI === If TLNs are added as a property of tree root domains of the forest, appropriate attribute need to be handled by '''trust-show''' command. If TLNs represented as separate 'trusted domains' of the trusted forest, no work is needed on CLI other than being able to support 'trusted domains' without SID and NetBIOS name. What is meant by 'tree root domains of the forest' in IPA context? The trust object? Btw trustdomain object has ipantflatname and ipanttrusteddomainsid attributes as optional so it is possible to store it there assuming modification of KDB driver. === Configuration === No configuration options. == Upgrade == No impact to upgrade. == How to Test == In order to test UPN-based logons, create additional name suffixes in Active Directory and establish trust to it. After trust is established, the name suffixes should be usable when trying to kinit as enterprise principal. == Test Plan == - -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 548-549] ipalib: add convenient Command method for adding messages
Hi, these patches are for master only, see commit messages for details. Honza -- Jan Cholasta From 49f3e365dc56ccda7d8aec7cf9d8e2d98791b031 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 2 Mar 2016 11:00:23 +0100 Subject: [PATCH 1/2] ipalib: provide per-call command context Add context which is valid for the duration of command call. The context is accessible using the `context` attribute of Command and Object plugins. --- ipalib/frontend.py | 10 ++ ipalib/request.py | 21 + 2 files changed, 31 insertions(+) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 5b730b1..e91660d 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -38,6 +38,7 @@ from ipalib.errors import (ZeroArgumentError, MaxArgumentError, OverlapError, VersionError, OptionError, InvocationError, ValidationError, ConversionError) from ipalib import messages +from ipalib.request import context, context_frame from ipalib.util import json_serialize if six.PY3: @@ -370,6 +371,10 @@ class HasParam(Plugin): check(namespace) setattr(self, name, namespace) +@property +def context(self): +return context.current_frame + class Command(HasParam): """ @@ -424,6 +429,11 @@ class Command(HasParam): XML-RPC and the executed an the nearest IPA server. """ self.ensure_finalized() +with context_frame(): +self.context.principal = getattr(context, 'principal', None) +return self.__do_call(*args, **options) + +def __do_call(self, *args, **options): version_provided = 'version' in options if version_provided: self.verify_client_version(unicode(options['version'])) diff --git a/ipalib/request.py b/ipalib/request.py index 9484be5..d851ba8 100644 --- a/ipalib/request.py +++ b/ipalib/request.py @@ -22,6 +22,7 @@ Per-request thread-local data. """ +import contextlib import threading from ipalib.base import ReadOnly, lock @@ -32,6 +33,26 @@ from ipalib.constants import CALLABLE_ERROR context = threading.local() +class _FrameContext(object): +pass + + +@contextlib.contextmanager +def context_frame(): +try: +frame_back = context.current_frame +except AttributeError: +pass +context.current_frame = _FrameContext() +try: +yield +finally: +try: +context.current_frame = frame_back +except UnboundLocalError: +del context.current_frame + + class Connection(ReadOnly): """ Base class for connection objects stored on `request.context`. -- 2.5.0 From 8ca33656a7ebb7819af9a8101befb20396d2bd75 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 2 Mar 2016 12:44:15 +0100 Subject: [PATCH 2/2] ipalib: add convenient Command method for adding messages Call the add_message() method of Command from anywhere in the implementation of a command to add a message to the result of the command. --- ipalib/frontend.py | 20 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index e91660d..ba830f2 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -434,13 +434,17 @@ class Command(HasParam): return self.__do_call(*args, **options) def __do_call(self, *args, **options): -version_provided = 'version' in options -if version_provided: +self.context.__messages = [] +if 'version' in options: self.verify_client_version(unicode(options['version'])) elif self.api.env.skip_version_check and not self.api.env.in_server: options['version'] = u'2.0' else: options['version'] = API_VERSION +if self.api.env.in_server: +# add message only on server side +self.add_message( +messages.VersionMissing(server_version=API_VERSION)) params = self.args_options_2_params(*args, **options) self.debug( 'raw: %s(%s)', self.name, ', '.join(self._repr_iter(**params)) @@ -454,12 +458,9 @@ class Command(HasParam): self.validate(**params) (args, options) = self.params_2_args_options(**params) ret = self.run(*args, **options) -if (not version_provided and isinstance(ret, dict) and -self.api.env.in_server): -# add message only on server side -messages.add_message( -API_VERSION, ret, -messages.VersionMissing(server_version=API_VERSION)) +if isinstance(ret, dict): +for message in self.context.__messages: +messages.add_message(options['version'], ret, message) if ( isinstance(ret, dict) and 'summary' in self.output @@ -470,6 +471,9 @@ class Command(HasParam): self.validate_output(ret,
Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors
On 03/02/2016 01:35 PM, David Kupka wrote: > Tested with pylint-1.5.4-2, works for me, ACK. > > - Original Message - > From: "Martin Basti"> To: "freeipa-devel" > Sent: Tuesday, March 1, 2016 5:55:54 PM > Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive > no-member errors > > > > On 25.02.2016 17:50, Martin Basti wrote: > > > > > On 25.02.2016 15:48, Martin Basti wrote: > > > The last pylint 1.5 patch, \o/ > > https://fedorahosted.org/freeipa/ticket/5615 > > > self-NACK too broad disables > > > Updated patches attached. > Pushed to: ipa-4-2: aaad91d32ee855813bac5f57f8af128cfee327a5 ipa-4-3: 76545e2a54ebbfc5422d2a4bcd51fad1bbd8a79a master: 72d5499c5a902c860c5496ee6e604526672e5777 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan
Hi Martin, I've made the requested changes. The full set of necessary patches is attached. On 03/02/2016 10:05 AM, Martin Basti wrote: > > > On 02.03.2016 00:12, Oleg Fayans wrote: >> Hi Martin, >> >> On 03/01/2016 07:04 PM, Martin Basti wrote: >>> >>> On 01.03.2016 14:56, Martin Basti wrote: On 01.03.2016 12:37, Martin Basti wrote: > > On 01.03.2016 12:32, Martin Basti wrote: >> >> On 29.02.2016 13:16, Oleg Fayans wrote: >>> Hi all, >>> >>> Finally the tests pass. >>> >>> The patch 0024 applies on top of patch 0022 (please, consider >>> reviewing >>> it also). Besides, the whole functionality depends on Martin's >>> patch N 0421 >>> >>> All patches pass pylint. >> hello, >> >> I cannot apply patches on master branch >> Martin^2 > My bad I applied wrong patch > >>> >>> On 12/19/2015 11:56 PM, Martin Basti wrote: On 17.12.2015 10:04, Oleg Fayans wrote: > Hi Martin, > > I am sorry, in my previous email I attached the old version of > patch > 0016. The correct on is attached. > > On 12/16/2015 05:47 PM, Martin Basti wrote: >> On 16.12.2015 15:39, Martin Basti wrote: >>> On 15.12.2015 10:29, Oleg Fayans wrote: Hi Martin, The updated patches are attached. Patch 0017 includes all changes from patch 0018, so, if you approve this one, there would be no need to continue with the review of 0018. This one contains all changes related to you remarks from 0018 review. Please see my explanation on the stdout+stderr part in the thread from patch 0018. With these two patches applied one of the tests fails due this bug: https://fedorahosted.org/freeipa/ticket/5550 On 12/09/2015 12:17 PM, Martin Basti wrote: > On 09.12.2015 12:10, Martin Basti wrote: >> On 09.12.2015 11:14, Oleg Fayans wrote: >>> Hi Martin >>> >>> On 12/09/2015 10:30 AM, Martin Basti wrote: On 08.12.2015 23:48, Oleg Fayans wrote: > Substituted a hardcoded suffix name with a constant > DOMAIN_SUFFIX_NAME > > On 12/08/2015 02:33 PM, Oleg Fayans wrote: >> Hi all, >> >> >> The patches are rebased against the current master. >> >> On 12/02/2015 05:10 PM, Martin Basti wrote: >>> On 02.12.2015 16:18, Oleg Fayans wrote: Hi Martin, On 12/01/2015 04:08 PM, Martin Basti wrote: > On 27.11.2015 16:26, Oleg Fayans wrote: >> And patch N 16 passes lint too: >> >> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>> Hi, >>> >>> On 11/27/2015 03:26 PM, Martin Basti wrote: On 27.11.2015 15:04, Oleg Fayans wrote: > Hi Martin, > > All your suggestions were taken into account. Both > patches are > updated. Thank you for your help! > > On 11/26/2015 10:50 AM, Martin Basti wrote: >> On 26.11.2015 10:04, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I agree to all your points but one. please, >>> see my >>> comment >>> below >>> >>> On 11/25/2015 07:42 PM, Martin Basti wrote: Hi, 0) Note Please be aware of https://fedorahosted.org/freeipa/ticket/5469 during KRA testing 1) Please do not use MIN and MAX_DOMAIN_LEVEL constants, this may change over time, use DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 for domain level 0 and 1 2) Why uninstall KRA then server, is not enough just uninstall
Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors
Tested with pylint-1.5.4-2, works for me, ACK. - Original Message - From: "Martin Basti"To: "freeipa-devel" Sent: Tuesday, March 1, 2016 5:55:54 PM Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors On 25.02.2016 17:50, Martin Basti wrote: On 25.02.2016 15:48, Martin Basti wrote: The last pylint 1.5 patch, \o/ https://fedorahosted.org/freeipa/ticket/5615 self-NACK too broad disables Updated patches attached. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help
On 03/02/2016 12:42 PM, Petr Vobornik wrote: > Help and status text used incorrect name "ipa-migrate-winsync" > > https://fedorahosted.org/freeipa/ticket/5713 > > ACK, Pushed to: ipa-4-2: 7151ea394aac00ca596a8d7460a2fcefd258b36e ipa-4-3: 57e02c7140fe2ad6fe6a6bc9823f84500bb78732 master: c68e9510d03abb75d353e209ea32ac9d1ed362bc -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help
Help and status text used incorrect name "ipa-migrate-winsync" https://fedorahosted.org/freeipa/ticket/5713 -- Petr Vobornik From bed7e2721d6f6d995df47fc2d15e5b4a1b3ee489 Mon Sep 17 00:00:00 2001 From: Petr VobornikDate: Wed, 2 Mar 2016 12:37:33 +0100 Subject: [PATCH] fix incorrect name of ipa-winsync-migrate command in help Help and status text used incorrect name "ipa-migrate-winsync" https://fedorahosted.org/freeipa/ticket/5713 --- ipaserver/install/ipa_winsync_migrate.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index a96845dccc9323efc6eb617c4520cf9678846377..545a224921a0cf1f8d849f0a71018769c36cfe41 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -37,15 +37,15 @@ class WinsyncMigrate(admintool.AdminTool): Tool to migrate winsync users. """ -command_name = 'ipa-migrate-winsync' -usage = "ipa-migrate-winsync" +command_name = 'ipa-winsync-migrate' +usage = "ipa-winsync-migrate" description = ( "This tool creates user ID overrides for all the users " "that were previously synced from AD domain using the " "winsync replication agreement. It requires that trust " "with the AD forest has already been established and " "the users in question are resolvable using SSSD. " -"For more information, see `man ipa-migrate-winsync`." +"For more information, see `man ipa-winsync-migrate`." ) @classmethod -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Supporting UPNs of trusted forests
Hi, http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains describes a design page to support name suffixes from trusted Active Directory domains. A prototype code exists (written by me and Sumit) and was tested by Sumit against recent releases of SSSD. Text is provided below for easier commenting. - {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == User principal name (UPN) in Active Directory is the primary form of addressing users. UPN has structure of 'user name@suffix' where both user name and suffix parts may vary. By default the suffix is the same as the Active Directory domain name but AD administrators may create additional name suffixes and associate them with specific users. These additional UPNs for users may then be used for Kerberos authentication against Active Directory domains. Alternative UPNs are often used when several companies with Active Directory deployments merge and want to provide unified logon namespace. The purpose of this feature is to allow using alternative UPNs associated with the Active Directory users when accessing resources in FreeIPA domain. == Use Cases == As an Active Directory user, I want to login using my user@EXAMPLE user principal name even if my Active Directory domain is named REGION.EXAMPLE.COM. == Design== Support for UPNs is split to three different components: ;Client-side : SSSD already supports logon with UPN by asking a KDC to accept enterprise logon names. By default, the use of enterprise principals is disabled, therefore, krb5_use_enterprise_principal = True needs to be added to sssd.conf to enable it. ;KDC : IPA KDC does understand multiple domains associated with the trusted AD forest. However, since no information about name suffixes associated with the forest is available, it cannot take them into account when processing enteprise logon names to issue referrals to the correct realm. Support needs to be added to allow IPA KDC to look up name suffixes associated with a trusted forest. ; IPA framework : Changes needed on IPA framework side to fetch from Active Directory a list of name suffixes and store them in the trusted domain objects. == Implementation == For retrieving name suffixes, IPA framework needs to move to use NETLOGON netr_DsRGetForestTrustInformation function instead of netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and top level names associated with the forest. As top level names (TLNs) have only a single string as a name suffix, they cannot be stored as trusted domains (they lack SID and NetBIOS name). Thus, either IPA KDB driver needs to be extended to understand trusted domains without SID and NetBIOS name, or TLNs need to be stored as a property of tree root domains of the forest. == Feature Management == === UI === If TLNs are added as a property of tree root domains of the forest, appropriate panel needs to be extended to display them. === CLI === If TLNs are added as a property of tree root domains of the forest, appropriate attribute need to be handled by '''trust-show''' command. If TLNs represented as separate 'trusted domains' of the trusted forest, no work is needed on CLI other than being able to support 'trusted domains' without SID and NetBIOS name. === Configuration === No configuration options. == Upgrade == No impact to upgrade. == How to Test == In order to test UPN-based logons, create additional name suffixes in Active Directory and establish trust to it. After trust is established, the name suffixes should be usable when trying to kinit as enterprise principal. == Test Plan == - -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
https://fedorahosted.org/freeipa/ticket/5694From 0a7afc3042835935e2891032664afcead1f4bcea Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 2 Mar 2016 11:08:19 +0100 Subject: [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment. https://fedorahosted.org/freeipa/ticket/5694 --- client/man/ipa-client-install.1 | 10 ++ 1 file changed, 10 insertions(+) diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 index 92ea77a4bda539f8614f3d47cac7b53faf57482c..ce5258b3eac08b9a04bf5f4142635d2e21310f32 100644 --- a/client/man/ipa-client-install.1 +++ b/client/man/ipa-client-install.1 @@ -176,6 +176,16 @@ valid for the IPA domain. .TP \fB\-\-request\-cert\fR Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". + +Using this option requires that D-Bus is properly configured or not configured +at all. In enviroment where this condition is not met (e.g. anaconda kickstart +chroot environment) set the system bus address to /dev/null to enable +workaround in ipa-client-install. + +# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install --request-cert + +Note that the certmonger service requires a system reboot to start monitoring +the certificate obtained in this way. .TP \fB\-\-automount\-location\fR=\fILOCATION\fR Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] External trust to AD
Hi, http://www.freeipa.org/page/V4/External_trust_to_AD documents a design for external trust to AD feature. The text is included below for easier review. --- {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == Support for external trust to a domain from Active Directory forest An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest. == Use Cases == As an Active Directory domain admin, I want to establish trust between IPA and my domain only. The trust between IPA and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources. == Design== External trust between Active Directory domains is by definition non-transitive and enforces SID filtering between the domain boundaries. This means only users and groups with SIDs from the trusted domain can use the resources and be visible on IPA systems. None of other users and groups from domains the trusted domain trusts within its own Active Directory forest or other externally trusted domains will be allowed to access IPA resources. == Implementation == External trust feature re-uses existing forest trust infrastructure. There are several specific changes to allow supporting external trust: * '''Non-transitivity''': since external trust is non-transitive by * definition, any attempt to set transitivity feature of the trust link * with LSA SetInformationTrustedDomain() command will fail. Thus, there * is no need to set transitivity for the external trust. * '''Trust attributes''': external trust can be detected by looking into * absense of ipaNTTrustAttributes LDAP attribute of the trusted domain * object. == Feature Management == === UI === An option 'external trust' needs to be added to Web UI, corresponding to '--external' flag in 'trust-add' command in CLI. === CLI === An external trust creation can be requested by passing additional flag '--external=true' to the 'trust-add' command. The flag defaults to 'false', e.g. no external trust would be created. {| class="wikitable" |- ! Command ! Options |- | trust-add | --external=true/false |} === Configuration === No configuration options needed. == Upgrade == No changes on upgrades. The trust properties are only set up at trust creation time. == How to Test == In order to test the external trust, attempt to create a trust to non-root domain in an Active Directory forest. It should fail without '--external=true' option and should be able to establish the external trust with '--external=true' option to 'trust-add' command. A type of the trust can be seen with 'trust-show' command. == Test Plan == --- -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0427] fix broken configuration of sidgen and extdom plugins
On 03/01/2016 06:32 PM, Martin Basti wrote: On 01.03.2016 17:14, Martin Basti wrote: On 01.03.2016 17:13, Petr Vobornik wrote: On 03/01/2016 05:02 PM, Martin Basti wrote: On 01.03.2016 16:39, Petr Vobornik wrote: On 02/23/2016 06:15 PM, Martin Basti wrote: On 23.02.2016 17:31, Tomas Babej wrote: On 02/23/2016 01:25 PM, Martin Basti wrote: On 23.02.2016 13:02, Alexander Bokovoy wrote: On Tue, 23 Feb 2016, Martin Basti wrote: From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 23 Feb 2016 10:37:47 +0100 Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS restart Restarting DS executed by upgrade plugin causes that upgrade frameworg was waiting for not proper socket to be ready. This commit fix issue. Please fix the commit message typos. Fixed. Updated patches attached. ACK. Tomas Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a Testing freeipa-4.2.4 build and it fails at install/dsinstance.py:add_sidgen_plugin:936 adding self.ldap_connect() on line 937 fixed the issue. Well I may rework PATCH 0416, and fix it in different way, or I can add self.ldap_connect() to sidgen and extdom steps. Which is better? I would avoid reworking it in all 3 branches if in 4.3 and master it works and is actually correct. Doesn't make sense to change new code because of missing features in old branches. Adding connect to ipa-4-2 seems enough to me. IMO it works accidentaly there, any additional patch or restart can break it in 4.3 and master too Patch attached. ipa-4-2 needs to have backported ca8f63624b204f0c4f2d1ac5f4ed93551f7e62df ACK pushed to: master: * fcc540bbdc5daa24990940124ec3bd439b05257d Fix connections to DS during installation ipa-4-3: * c14fb0b9e0f4cb977e897645126ef7d1bbf9aa9e Fix connections to DS during installation ipa-4-2: *e2ef561375c63a375710254f159f75d7318c514d Insure the admin_conn is disconnected on stop * 0af81913258b2f4c9841c5baddda146667282b2c Fix connections to DS during installation -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan
On 02.03.2016 00:12, Oleg Fayans wrote: Hi Martin, On 03/01/2016 07:04 PM, Martin Basti wrote: On 01.03.2016 14:56, Martin Basti wrote: On 01.03.2016 12:37, Martin Basti wrote: On 01.03.2016 12:32, Martin Basti wrote: On 29.02.2016 13:16, Oleg Fayans wrote: Hi all, Finally the tests pass. The patch 0024 applies on top of patch 0022 (please, consider reviewing it also). Besides, the whole functionality depends on Martin's patch N 0421 All patches pass pylint. hello, I cannot apply patches on master branch Martin^2 My bad I applied wrong patch On 12/19/2015 11:56 PM, Martin Basti wrote: On 17.12.2015 10:04, Oleg Fayans wrote: Hi Martin, I am sorry, in my previous email I attached the old version of patch 0016. The correct on is attached. On 12/16/2015 05:47 PM, Martin Basti wrote: On 16.12.2015 15:39, Martin Basti wrote: On 15.12.2015 10:29, Oleg Fayans wrote: Hi Martin, The updated patches are attached. Patch 0017 includes all changes from patch 0018, so, if you approve this one, there would be no need to continue with the review of 0018. This one contains all changes related to you remarks from 0018 review. Please see my explanation on the stdout+stderr part in the thread from patch 0018. With these two patches applied one of the tests fails due this bug: https://fedorahosted.org/freeipa/ticket/5550 On 12/09/2015 12:17 PM, Martin Basti wrote: On 09.12.2015 12:10, Martin Basti wrote: On 09.12.2015 11:14, Oleg Fayans wrote: Hi Martin On 12/09/2015 10:30 AM, Martin Basti wrote: On 08.12.2015 23:48, Oleg Fayans wrote: Substituted a hardcoded suffix name with a constant DOMAIN_SUFFIX_NAME On 12/08/2015 02:33 PM, Oleg Fayans wrote: Hi all, The patches are rebased against the current master. On 12/02/2015 05:10 PM, Martin Basti wrote: On 02.12.2015 16:18, Oleg Fayans wrote: Hi Martin, On 12/01/2015 04:08 PM, Martin Basti wrote: On 27.11.2015 16:26, Oleg Fayans wrote: And patch N 16 passes lint too: On 11/27/2015 04:03 PM, Oleg Fayans wrote: Hi, On 11/27/2015 03:26 PM, Martin Basti wrote: On 27.11.2015 15:04, Oleg Fayans wrote: Hi Martin, All your suggestions were taken into account. Both patches are updated. Thank you for your help! On 11/26/2015 10:50 AM, Martin Basti wrote: On 26.11.2015 10:04, Oleg Fayans wrote: Hi Martin, I agree to all your points but one. please, see my comment below On 11/25/2015 07:42 PM, Martin Basti wrote: Hi, 0) Note Please be aware of https://fedorahosted.org/freeipa/ticket/5469 during KRA testing 1) Please do not use MIN and MAX_DOMAIN_LEVEL constants, this may change over time, use DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 for domain level 0 and 1 2) Why uninstall KRA then server, is not enough just uninstall server which covers KRA uninstall? +def teardown_method(self, method): +for host in self.replicas: + host.run_command(self.kra_uninstall, raiseonerr=False) + tasks.uninstall_master(host) 3) Can be this function more generic? It should allow specify host where KRA should be installed not just master +def test_kra_install_master(self): + self.master.run_command(self.kra_install) 4) TestLevel0(Dummy): Can be the test name more specific, something like TestReplicaPromotionLevel0 5) please remove this, the patch is on review and it will be pushed sooner than tests + @pytest.mark.xfail # Ticket N 5455 and as I mentioned in ticket #5455, I cannot reproduce it with ipa-kra-install, so please provide steps to reproduce if you insist that this still does not work as expected with KRA. 6) This is completely wrong, it removes everything that we tried to achieve with previous patches with domain level in CI Actually, being able to configure domain level per class is WAY more convenient, than to always have to think which domain level is appropriate for which particular test during jenkins job configuration. In fact, I should have thought about it from the very beginning. For example, in test_replica_promotion.py we have on class, which intiates with domain level = 1, while others - with domain level 0. With config-based approach, we would have to implement a separate step that raises domain level. Overall, I am against the approach, when you have to remember to set certain domain level in config for any particular test. The tests themselves should be aware of the domain level they need. I do not say that we should not have something that overrides settings in from config in a particular test case, I say your patch is doing it wrong. I agree it is useful to have param domain_level in install_master, and intall_topo methods, but is cannot be MAX_DOMAIN_LEVEL by default, because with your current patch the domain_level in config is not used at all, it will be always MAX_DOMAIN_LEVEL For example I want to achieve this goal: test_vault.py, this test suite can run on domain level1 and on domain level0, so with one test we can test 2 domain levels just with putting domain level into config file. I agree that