URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: [WIP] ipserver/dcerpc: unify error processing Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682
From b0583338006e86ebc9beb4b9c171e123efd970fc Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 3 Apr 2017 10:29:21 +0300 Subject: [PATCH 1/2] ipserver/dcerpc: unify error processing Samba error code reporting changes from version to version but we also did not provide proper input into DCE RPC error processing method we have. Unify error processing and add few more fallback entries. With Samba 4.7 we'll have to change it again because error code processing for Samba Python modules will change with introduction of samba.ntstatus and samba.werror modules. Note that this commit also changes a message returned for error code -1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438348 --- ipaserver/dcerpc.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 2d9d7e5..d684a17 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -117,19 +117,27 @@ def is_sid_valid(sid): # we simply will skip the binding access_denied_error, -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND - errors.RemoteRetrieveError( - reason=_('CIFS server configuration does not allow ' - 'access to \\\\pipe\\lsarpc')), + errors.NotFound( + reason=_('Cannot find specified domain or server name')), } dcerpc_error_messages = { "NT_STATUS_OBJECT_NAME_NOT_FOUND": errors.NotFound( reason=_('Cannot find specified domain or server name')), + "The object name is not found.": + errors.NotFound( + reason=_('Cannot find specified domain or server name')), "WERR_NO_LOGON_SERVERS": errors.RemoteRetrieveError( reason=_('AD DC was unable to reach any IPA domain controller. ' 'Most likely it is a DNS or firewall issue')), + # This is a very long key, don't change it + "There are currently no logon servers available to " + "service the logon request.": + errors.RemoteRetrieveError( + reason=_('AD DC was unable to reach any IPA domain controller. ' + 'Most likely it is a DNS or firewall issue')), "NT_STATUS_INVALID_PARAMETER_MIX": errors.RequirementError( name=_('At least the domain or IP address should be specified')), @@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain): # Both methods should not fail at the same time if finddc_error and len(info['gc']) == 0: - raise assess_dcerpc_exception(message=str(finddc_error)) + num, message = e.args # pylint: disable=unpacking-non-sequence + raise assess_dcerpc_exception(num=num, message=message) self._info[domain] = info return info @@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host, else: result = netrc.finddc(address=remote_host, flags=flags) except RuntimeError as e: - raise assess_dcerpc_exception(message=str(e)) + num, message = e.args # pylint: disable=unpacking-non-sequence + raise assess_dcerpc_exception(num=num, message=message) if not result: return False @@ -1408,7 +1418,8 @@ def communicate(td): result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) except RuntimeError as e: - raise assess_dcerpc_exception(message=str(e)) + num, message = e.args # pylint: disable=unpacking-non-sequence + raise assess_dcerpc_exception(num=num, message=message) td.info['dc'] = unicode(result.pdc_dns_name) td.info['name'] = unicode(result.dns_domain) From dbbc875873b81bc14b6027d9c45b53f873608529 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 5 Apr 2017 12:37:10 +0300 Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust information Since introduction of privilege separation in IPA framework none of the operations that require direct access to the framework's credentials can be done. All authentication has to be performed with GSSAPI. As result, we cannot obtain TGT for HTTP/.. principal with kinit anymore, so it is better to re-route all types of trust to oddjobd helper and get rid of casing out two-way trust. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366 --- ipaserver/plugins/trust.py | 36 ++++++++---------------------------- 1 file changed, 8 insertions(+), 28 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 3de2458..884dd8e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1753,36 +1753,16 @@ def execute(self, *keys, **options): trust_direction = int(trust['ipanttrustdirection'][0]) is_nontransitive = int(trust.get('ipanttrustattributes', [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + # For one-way trust and external trust fetch over DBus. # We don't get the list in this case. - if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive: - fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) - result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.')) - return result - - trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) - if not trustinstance.configured: - raise errors.NotFound( - name=_('AD Trust setup'), - reason=_( - 'Cannot perform join operation without own domain ' - 'configured. Make sure you have run ipa-adtrust-install ' - 'on the IPA server first' - ) - ) - - trustinstance.populate_remote_domain(keys[0]) - - res = fetch_domains_from_trust(self.api, trustinstance, **options) - domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) - - if len(domains) > 0: - result['summary'] = unicode(_('List of trust domains successfully refreshed')) - else: - result['summary'] = unicode(_('No new trust domains were found')) - - result['result'] = domains - result['count'] = len(domains) + # With privilege separation we also cannot authenticate as + # HTTP/ principal because we have no access to its key material. + # Thus, we'll use DBus call out to oddjobd helper in all cases + fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) + result['summary'] = unicode(_('List of trust domains successfully ' + 'refreshed. Use trustdomain-find ' + 'command to list them.')) return result
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
