Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On 16.03.2016 13:45, Alexander Bokovoy wrote: On Wed, 16 Mar 2016, Martin Basti wrote: On 16.03.2016 13:32, Martin Basti wrote: On 16.03.2016 13:32, Alexander Bokovoy wrote: On Wed, 16 Mar 2016, Martin Basti wrote: On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. Yes, I meant that, sorry :) Updated patch attached. From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 16 Mar 2016 13:41:51 +0100 Subject: [PATCH] Fix broken trust warnings Warning should be shown only for parent entries of trust domain. Sub domains do not contain SIDs at all. https://fedorahosted.org/freeipa/ticket/5737 --- ipalib/plugins/trust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -597,7 +597,9 @@ class trust(LDAPObject): try: entries, truncated = ldap.find_entries( -base_dn=DN(self.container_dn, self.api.env.basedn), +base_dn=DN(self.api.env.container_adtrusts, + self.api.env.basedn), +scope=ldap.SCOPE_ONELEVEL, attrs_list=['cn'], filter='(&(ipaNTTrustPartner=*)' '(!(ipaNTSecurityIdentifier=*)))', ACK if you change the commit message to say that subdomains do not contain ipaNTSecurityIdentifier attribute. Thanks, changed Pushed to: master: de8c6d81fd5d0f759ac0201e2c517bcb8b43d960 ipa-4-3: 1e0208612087e80f673e7ec1f8e050b57b5f1fb7 ipa-4-2: fb11384e65d74b6a027bf8cfe9f93e003bba5236 From cc25233e99d24d83fd97a3cf089b4f60be696e67 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 16 Mar 2016 13:41:51 +0100 Subject: [PATCH] Fix broken trust warnings Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all. https://fedorahosted.org/freeipa/ticket/5737 --- ipalib/plugins/trust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -597,7 +597,9 @@ class trust(LDAPObject): try: entries, truncated = ldap.find_entries( -base_dn=DN(self.container_dn, self.api.env.basedn), +base_dn=DN(self.api.env.container_adtrusts, + self.api.env.basedn), +scope=ldap.SCOPE_ONELEVEL, attrs_list=['cn'], filter='(&(ipaNTTrustPartner=*)' '(!(ipaNTSecurityIdentifier=*)))', -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On 16.03.2016 13:32, Martin Basti wrote: On 16.03.2016 13:32, Alexander Bokovoy wrote: On Wed, 16 Mar 2016, Martin Basti wrote: On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. Yes, I meant that, sorry :) Updated patch attached. From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 16 Mar 2016 13:41:51 +0100 Subject: [PATCH] Fix broken trust warnings Warning should be shown only for parent entries of trust domain. Sub domains do not contain SIDs at all. https://fedorahosted.org/freeipa/ticket/5737 --- ipalib/plugins/trust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -597,7 +597,9 @@ class trust(LDAPObject): try: entries, truncated = ldap.find_entries( -base_dn=DN(self.container_dn, self.api.env.basedn), +base_dn=DN(self.api.env.container_adtrusts, + self.api.env.basedn), +scope=ldap.SCOPE_ONELEVEL, attrs_list=['cn'], filter='(&(ipaNTTrustPartner=*)' '(!(ipaNTSecurityIdentifier=*)))', -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On 16.03.2016 13:32, Alexander Bokovoy wrote: On Wed, 16 Mar 2016, Martin Basti wrote: On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. Yes, I meant that, sorry :) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On Wed, 16 Mar 2016, Martin Basti wrote: On 16.03.2016 13:32, Martin Basti wrote: On 16.03.2016 13:32, Alexander Bokovoy wrote: On Wed, 16 Mar 2016, Martin Basti wrote: On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. Yes, I meant that, sorry :) Updated patch attached. From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 16 Mar 2016 13:41:51 +0100 Subject: [PATCH] Fix broken trust warnings Warning should be shown only for parent entries of trust domain. Sub domains do not contain SIDs at all. https://fedorahosted.org/freeipa/ticket/5737 --- ipalib/plugins/trust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -597,7 +597,9 @@ class trust(LDAPObject): try: entries, truncated = ldap.find_entries( -base_dn=DN(self.container_dn, self.api.env.basedn), +base_dn=DN(self.api.env.container_adtrusts, + self.api.env.basedn), +scope=ldap.SCOPE_ONELEVEL, attrs_list=['cn'], filter='(&(ipaNTTrustPartner=*)' '(!(ipaNTSecurityIdentifier=*)))', ACK if you change the commit message to say that subdomains do not contain ipaNTSecurityIdentifier attribute. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On Wed, 16 Mar 2016, Martin Basti wrote: On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings
On 15.03.2016 16:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5737 Patch attached. Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0440] Fix broken trust warnings
https://fedorahosted.org/freeipa/ticket/5737 Patch attached. From 952a43a2ef272a61916125040852bc6f5b5de079 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 15 Mar 2016 16:18:57 +0100 Subject: [PATCH] Fix broken trust warnings Warning should be shown only for parent entries of trust domain. Sub domains do not contain SIDs at all. https://fedorahosted.org/freeipa/ticket/5737 --- ipalib/plugins/trust.py | 25 +++-- ipaserver/install/plugins/adtrust.py | 17 +++-- 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ba0c98e2f3711924dace395b7becf2977ca8e35c..148f1cd03d937f24e039e15bc009f9e941ec4ea9 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -594,23 +594,36 @@ class trust(LDAPObject): AD trust domain without generated SID, warn user about it. """ ldap = self.api.Backend.ldap2 - +sid_attr_name = 'ipaNTSecurityIdentifier' try: entries, truncated = ldap.find_entries( base_dn=DN(self.container_dn, self.api.env.basedn), -attrs_list=['cn'], -filter='(&(ipaNTTrustPartner=*)' - '(!(ipaNTSecurityIdentifier=*)))', +attrs_list=['cn', sid_attr_name], +filter='(ipaNTTrustPartner=*)', ) except errors.NotFound: pass else: +# print warning only for parent domain, subdomains do not contain +# SIDs +parent_domains = {} for entry in entries: - add_message( +domain = entry.single_value["cn"] +parent_domains = { +d: e for d, e in parent_domains.items() +if not d.endswith(domain) +} +if not any(domain.endswith(d) for d in parent_domains.keys()): +parent_domains[domain] = entry + +for domain, entry in parent_domains.items(): +if entry.get(sid_attr_name): +continue +add_message( options['version'], result, BrokenTrust(domain=entry.single_value['cn']) - ) +) @register() diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index ce58d7f171bd448dc767f92bbc32346a14f5b2ea..3c68b13c7809cb48ff27bd1d557da23e77d6df9d 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -291,10 +291,10 @@ class update_sids(Updater): trust_domain_entries, truncated = ldap.find_entries( base_dn=base_dn, scope=ldap.SCOPE_ONELEVEL, -attrs_list=["cn"], +attrs_list=["cn", attr_name], # more types of trusts can be stored under cn=trusts, we need # the type with ipaNTTrustPartner attribute -filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name +filter="(ipaNTTrustPartner=*)" ) except errors.NotFound: pass @@ -302,8 +302,21 @@ class update_sids(Updater): if truncated: self.log.warning("update_sids: Search results were truncated") +# print warning only for parent domain, subdomains do not contain +# SIDs +parent_domains = {} for entry in trust_domain_entries: domain = entry.single_value["cn"] +parent_domains = { +d: e for d, e in parent_domains.items() +if not d.endswith(domain) +} +if not any(domain.endswith(d) for d in parent_domains.keys()): +parent_domains[domain] = entry + +for domain, entry in parent_domains.items(): +if entry.get(attr_name): +continue self.log.error( "Your trust to %s is broken. Please re-create it by " "running 'ipa trust-add' again.", domain) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code