Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-06-07 at 10:56 +0300, Alexander Bokovoy wrote: On Thu, 07 Jun 2012, Martin Kosek wrote: It may have been an issue on my side. I will open a ticket if I hit a unit test error again. I did a next round of review for your patches, I did not find any show-stopper why not to push your patches. Lets get them grilled also by other team members :-)I just logged one issue I found with ipa-adtrust-install: https://fedorahosted.org/freeipa/ticket/2815 I think we should do check on whether we he valid ticket prior to do configuration, similar to how we do check DM password availability. Besides the keytab fetch we also need to create the service which requires appropriate admin permissions. ACK. Pushed all 13 patches to master. Great! Thanks for the thorough review. Excellent news! Thanks a lot to all involved for the great work done! Simo. Sumit, please rebase and send your remaining patches for review. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: On Mon, 04 Jun 2012, Martin Kosek wrote: I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts Ok, will fix. 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 Found and fixed. The issue was in not following RFC2849 when specifying multiple changetype operations, you need to split their definitions by a single line with '-' on it. I squashed the fix back to the original patch. But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) When I run ipactl restart, dirsrv started and I was able to kinit. Maybe it is timing issue? 4) Patch Add separate attribute to store trusted domain SID still has a wrong service part of the principal to be removed (s/ldap/cifs): +dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix) +member_principal3 = ldap/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + This leaves CIFS entry in the S4U2Proxy configuration even after replica uninstallation. Fixed and squashed back to the original patch. Btw. these are the packages I use: 389-ds-base-1.2.10.4-2.fc17.x86_64 krb5-server-1.10-5.fc17.x86_64 samba4-4.0.0-123alpha21.fc17.x86_64 Same here. For me anything newer 1.2.10.4-2 will blow 389-ds. I tested your latest tree against w2k8r2 and was able to create an validate the trust. So ACK to the functional part. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
- Original Message - On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: On Mon, 04 Jun 2012, Martin Kosek wrote: I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts Ok, will fix. 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 Found and fixed. The issue was in not following RFC2849 when specifying multiple changetype operations, you need to split their definitions by a single line with '-' on it. I squashed the fix back to the original patch. But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: Does ps -ef|grep slapd show the ns-slapd process running? [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests These last three lines mean the server is up and running. [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) These error messages should only appear at startup, and should go away once all of the ipa components (especially kdc) are up and running. When I run ipactl restart, dirsrv started and I was able to kinit. Maybe it is timing issue? 4) Patch Add separate attribute to store trusted domain SID still has a wrong service part of the principal to be removed (s/ldap/cifs): +dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix) +member_principal3 = ldap/%(fqdn)s@%(realm)s % dict(fqdn=replica, realm=realm) + This leaves CIFS entry in the S4U2Proxy configuration even after replica uninstallation. Fixed and squashed back to the original patch. Btw. these are the packages I use: 389-ds-base-1.2.10.4-2.fc17.x86_64 krb5-server-1.10-5.fc17.x86_64 samba4-4.0.0-123alpha21.fc17.x86_64 Same here. For me anything newer 1.2.10.4-2 will blow 389-ds. I tested your latest tree against w2k8r2 and was able to create an validate the trust. So ACK to the functional part. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). Martin I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated, currently there is about a dozen test case errors, e.g. extra ipakrbprincipalalias attribute in services or new ipakrbprincipal objectclass for hosts 3) Replication did not work too well for me this time. ipa-replica-install reported just one issue during installation process: 2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation 2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV 2012-06-04T09:42:51Z DEBUG stdout= 2012-06-04T09:42:51Z DEBUG stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) ldapmodify: wrong attributeType at line 5, entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, dc=lab,dc=bos,dc=redhat,dc=com 2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' returned non-zero exit status 247 But this may be just a symptom of some bigger issue. After the installation finished, DS did not start, it kept reporting Kerberos issues: [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for LDAPS requests [04/Jun/2012:05:46:00 -0400] - Listening on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) errno 0 (Success) [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) When I run ipactl restart, dirsrv started and I was able to kinit. 4) Patch Add separate attribute to store trusted domain SID still has a wrong service part of the principal to be removed (s/ldap/cifs): +dn3 =
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-05-03 at 08:31 -0700, Nathan Kinder wrote: On 05/03/2012 08:18 AM, Martin Kosek wrote: On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote: On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). I am running another run of test to finish my review of your patches, but I stumbled in 389-ds error when I was installing IPA server from package built from your git tree: git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git # rpm -q freeipa-server 389-ds-base freeipa-server-2.99.0GITc30f375-0.fc17.x86_64 389-ds-base-1.2.11-0.1.a1.fc17.x86_64 # ipa-server-install -p kokos123 -a kokos123 ... [16/18]: issuing RA agent certificate [17/18]: adding RA agent as a trusted user [18/18]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling referential integrity plugin [6/35]: enabling winsync plugin [7/35]: configuring replication version plugin [8/35]: enabling IPA enrollment plugin [9/35]: enabling ldapi [10/35]: configuring uniqueness plugin [11/35]: configuring uuid plugin [12/35]: configuring modrdn plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: configuring ssl for ds instance [17/35]: configuring certmap.conf [18/35]: configure autobind for root [19/35]: configure new location for managed entries [20/35]: restarting directory server [21/35]: adding default layout [22/35]: adding delegation layout ipa : CRITICAL Failed to load delegation.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned non-zero exit status 255 [23/35]: adding replication acis ipa : CRITICAL Failed to load replica-acis.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned non-zero exit status 255 [24/35]: creating container for managed entries ipa : CRITICAL Failed to load managed-entries.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned non-zero exit status 255 [25/35]: configuring user private groups ipa : CRITICAL Failed to load user_private_groups.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned non-zero exit status 255 [26/35]: configuring netgroups from hostgroups ipa : CRITICAL Failed to load
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote: On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). I am running another run of test to finish my review of your patches, but I stumbled in 389-ds error when I was installing IPA server from package built from your git tree: git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git # rpm -q freeipa-server 389-ds-base freeipa-server-2.99.0GITc30f375-0.fc17.x86_64 389-ds-base-1.2.11-0.1.a1.fc17.x86_64 # ipa-server-install -p kokos123 -a kokos123 ... [16/18]: issuing RA agent certificate [17/18]: adding RA agent as a trusted user [18/18]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling referential integrity plugin [6/35]: enabling winsync plugin [7/35]: configuring replication version plugin [8/35]: enabling IPA enrollment plugin [9/35]: enabling ldapi [10/35]: configuring uniqueness plugin [11/35]: configuring uuid plugin [12/35]: configuring modrdn plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: configuring ssl for ds instance [17/35]: configuring certmap.conf [18/35]: configure autobind for root [19/35]: configure new location for managed entries [20/35]: restarting directory server [21/35]: adding default layout [22/35]: adding delegation layout ipa : CRITICAL Failed to load delegation.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned non-zero exit status 255 [23/35]: adding replication acis ipa : CRITICAL Failed to load replica-acis.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned non-zero exit status 255 [24/35]: creating container for managed entries ipa : CRITICAL Failed to load managed-entries.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned non-zero exit status 255 [25/35]: configuring user private groups ipa : CRITICAL Failed to load user_private_groups.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned non-zero exit status 255 [26/35]: configuring netgroups from hostgroups ipa : CRITICAL Failed to
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). I am running another run of test to finish my review of your patches, but I stumbled in 389-ds error when I was installing IPA server from package built from your git tree: git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git # rpm -q freeipa-server 389-ds-base freeipa-server-2.99.0GITc30f375-0.fc17.x86_64 389-ds-base-1.2.11-0.1.a1.fc17.x86_64 # ipa-server-install -p kokos123 -a kokos123 ... [16/18]: issuing RA agent certificate [17/18]: adding RA agent as a trusted user [18/18]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling referential integrity plugin [6/35]: enabling winsync plugin [7/35]: configuring replication version plugin [8/35]: enabling IPA enrollment plugin [9/35]: enabling ldapi [10/35]: configuring uniqueness plugin [11/35]: configuring uuid plugin [12/35]: configuring modrdn plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: configuring ssl for ds instance [17/35]: configuring certmap.conf [18/35]: configure autobind for root [19/35]: configure new location for managed entries [20/35]: restarting directory server [21/35]: adding default layout [22/35]: adding delegation layout ipa : CRITICAL Failed to load delegation.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned non-zero exit status 255 [23/35]: adding replication acis ipa : CRITICAL Failed to load replica-acis.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned non-zero exit status 255 [24/35]: creating container for managed entries ipa : CRITICAL Failed to load managed-entries.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned non-zero exit status 255 [25/35]: configuring user private groups ipa : CRITICAL Failed to load user_private_groups.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned non-zero exit status 255 [26/35]: configuring netgroups from hostgroups ipa : CRITICAL Failed to load host_nis_groups.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned non-zero exit status 255 [27/35]: creating default Sudo bind user ipa : CRITICAL Failed to load sudobind.ldif: Command '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v -f
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Tue, 2012-04-03 at 16:57 +0200, Sumit Bose wrote: On Tue, Apr 03, 2012 at 01:41:35PM +0300, Alexander Bokovoy wrote: Hi! Attached are the current patches for adding support for Active Directory trusts for FreeIPA v3 (master). These are tested and working with samba4 build available in ipa-devel@ repo. You have to use --delegate until we'll get all the parts of the Heimdal puzzle untangled and solved, and Simo patch 490 (s4u2proxy fix) is committed as well. Sumit asked me to send patches for review and commit to master so that he can proceed with his changes (removal of kadmin.local use, SID population task for 389-ds, etc). Without kadmin.local use fix these patches are not working with SELinux enabled. Patches have [../9] mark because they were generated out of my adwork tree. I have merged two patches together for obvious change reason and have left out Simo's s4u2proxy patch out, thus there are seven patches proposed for commit. I have tested the patches and they worked fine for me. They currently only work in F17, because it relies on the version of python-ldap shipped with F17. So it is an ACK form my side. It would be nice if someone more can have a look at the python parts if they are in agreement with the IPA standards (I expect they are :-). bye, Sumit -- / Alexander Bokovoy Hello Alexander, I read the patches with focus on Python parts, please check my comments. freeipa-abbra-0042-ticket-2192.patch: 1) s4u2proxy records that you add for new replicas should also be removed during replica uninstall. Otherwise you will get a warning when the replica is being re-installed. You can find the clean up code in replication.py in ipaserver/install in function replica_cleanup() freeipa-abbra-0044-ticket-1821.patch: 1) Missing i18n: +trust_output_params = ( +Str('ipantflatname', +label='Domain NetBIOS name'), +Str('ipantsecurityidentifier', +label='Domain Security Identifier'), +Str('trustdirection', +label='Trust direction'), +Str('trusttype', +label='Trust type'), +) 2) This does not look nice (and returns False (i.e. not str) when level is out of bounds): +def trust_type_string(level): +return int(level) in (1,2,3) and (u'Forest',u'Cross-Forest',u'MIT')[int(level)-1] + +def trust_direction_string(level): +return int(level) in (1,2,3) and (u'Downlevel',u'Uplevel',u'Both directions')[int(level)-1] Maybe something like this would be better (and i18n-ed): _trust_type_dict = {1 : _('Forest'), 2 : _('Cross-Forest'), 3 : _('MIT')} _trust_type_dict_unknown = _('Unknown') def trust_type_string(level): string = _trust_type_dict.get(int(level), _trust_type_dict_unknown) return unicode(string) 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) HTH, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: Hello Alexander, I read the patches with focus on Python parts, please check my comments. freeipa-abbra-0042-ticket-2192.patch: 1) s4u2proxy records that you add for new replicas should also be removed during replica uninstall. Otherwise you will get a warning when the replica is being re-installed. You can find the clean up code in replication.py in ipaserver/install in function replica_cleanup() thanks. freeipa-abbra-0044-ticket-1821.patch: 1) Missing i18n: +trust_output_params = ( +Str('ipantflatname', +label='Domain NetBIOS name'), +Str('ipantsecurityidentifier', +label='Domain Security Identifier'), +Str('trustdirection', +label='Trust direction'), +Str('trusttype', +label='Trust type'), +) Ok, will fix. 2) This does not look nice (and returns False (i.e. not str) when level is out of bounds): +def trust_type_string(level): +return int(level) in (1,2,3) and (u'Forest',u'Cross-Forest',u'MIT')[int(level)-1] + +def trust_direction_string(level): +return int(level) in (1,2,3) and (u'Downlevel',u'Uplevel',u'Both directions')[int(level)-1] Maybe something like this would be better (and i18n-ed): _trust_type_dict = {1 : _('Forest'), 2 : _('Cross-Forest'), 3 : _('MIT')} _trust_type_dict_unknown = _('Unknown') def trust_type_string(level): string = _trust_type_dict.get(int(level), _trust_type_dict_unknown) return unicode(string) ok, makes sense. We'll need to do it to both directions later (not now). 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: Hi Martin! On Thu, 12 Apr 2012, Martin Kosek wrote: ... 3) I would not try to import ipaserver.dcerpc every time the command is executed: +try: +import ipaserver.dcerpc +except Exception, e: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) I would rather do it once in the beginning and set a flag: try: import ipaserver.dcerpc _bindings_installed = True except Exception: _bindings_installed = False ... The idea was that this code is only executed on the server. We need to differentiate between: - running on client - running on server, no samba4 python bindings - running on server with samba4 python bindings By making it executed all time you are affecting the client code as well while with current approach it only affects server side. Across our code base, this situation is currently solved with this condition: if api.env.in_server and api.env.context in ['lite', 'server']: # try-import block +def execute(self, *keys, **options): +# Join domain using full credentials and with random trustdom +# secret (will be generated by the join method) +trustinstance = None +if not _bindings_installed: +raise errors.NotFound(name=_('AD Trust setup'), + reason=_('Cannot perform join operation without Samba 4 python bindings installed')) 4) Another import inside a function: +def arcfour_encrypt(key, data): +from Crypto.Cipher import ARC4 +c = ARC4.new(key) +return c.encrypt(data) Same here, it is only needed on server side. Let us get consensus over 3) and 4) and I'll fix patches altogether (and push). Yeah, I would fix in the same way as 3). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
On Tue, Apr 03, 2012 at 01:41:35PM +0300, Alexander Bokovoy wrote: Hi! Attached are the current patches for adding support for Active Directory trusts for FreeIPA v3 (master). These are tested and working with samba4 build available in ipa-devel@ repo. You have to use --delegate until we'll get all the parts of the Heimdal puzzle untangled and solved, and Simo patch 490 (s4u2proxy fix) is committed as well. Sumit asked me to send patches for review and commit to master so that he can proceed with his changes (removal of kadmin.local use, SID population task for 389-ds, etc). Without kadmin.local use fix these patches are not working with SELinux enabled. Patches have [../9] mark because they were generated out of my adwork tree. I have merged two patches together for obvious change reason and have left out Simo's s4u2proxy patch out, thus there are seven patches proposed for commit. I have tested the patches and they worked fine for me. They currently only work in F17, because it relies on the version of python-ldap shipped with F17. So it is an ACK form my side. It would be nice if someone more can have a look at the python parts if they are in agreement with the IPA standards (I expect they are :-). bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel