[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 25d8a94c862c51300198ea4956842521935e53f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipaserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.
Unify error processing and add few more fallback entries.
With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.
Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.
Fixes https://pagure.io/freeipa/issue/6859
---
ipaserver/dcerpc.py | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
# we simply will skip the binding
access_denied_error,
-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
-errors.RemoteRetrieveError(
-reason=_('CIFS server configuration does not allow '
- 'access to pipe\\lsarpc')),
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(
reason=_('Cannot find specified domain or server name')),
+"The object name is not found.":
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
"WERR_NO_LOGON_SERVERS":
errors.RemoteRetrieveError(
reason=_('AD DC was unable to reach any IPA domain controller. '
'Most likely it is a DNS or firewall issue')),
+# This is a very long key, don't change it
+"There are currently no logon servers available to "
+"service the logon request.":
+errors.RemoteRetrieveError(
+reason=_('AD DC was unable to reach any IPA domain controller. '
+ 'Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(
name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
# Both methods should not fail at the same time
if finddc_error and len(info['gc']) == 0:
-raise assess_dcerpc_exception(message=str(finddc_error))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
self._info[domain] = info
return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
else:
result = netrc.finddc(address=remote_host, flags=flags)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
if not result:
return False
@@ -1408,7 +1418,8 @@ def communicate(td):
result = netrc.finddc(domain=trustdomain,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
td.info['dc'] = unicode(result.pdc_dns_name)
td.info['name'] = unicode(result.dns_domain)
From 662914834ebe3b75a85f66ebc4ef95315f9683f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
ipaserver/plugins/trust.py | 38 +++---
1 file changed, 7 insertions(+), 31 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.p
[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 4601201f919ebf97e2ea82bd8c5f66ee23a8aa6d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.
Unify error processing and add few more fallback entries.
With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.
Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.
Fixes https://pagure.io/freeipa/issue/6859
---
ipaserver/dcerpc.py | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
# we simply will skip the binding
access_denied_error,
-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
-errors.RemoteRetrieveError(
-reason=_('CIFS server configuration does not allow '
- 'access to pipe\\lsarpc')),
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(
reason=_('Cannot find specified domain or server name')),
+"The object name is not found.":
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
"WERR_NO_LOGON_SERVERS":
errors.RemoteRetrieveError(
reason=_('AD DC was unable to reach any IPA domain controller. '
'Most likely it is a DNS or firewall issue')),
+# This is a very long key, don't change it
+"There are currently no logon servers available to "
+"service the logon request.":
+errors.RemoteRetrieveError(
+reason=_('AD DC was unable to reach any IPA domain controller. '
+ 'Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(
name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
# Both methods should not fail at the same time
if finddc_error and len(info['gc']) == 0:
-raise assess_dcerpc_exception(message=str(finddc_error))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
self._info[domain] = info
return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
else:
result = netrc.finddc(address=remote_host, flags=flags)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
if not result:
return False
@@ -1408,7 +1418,8 @@ def communicate(td):
result = netrc.finddc(domain=trustdomain,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
td.info['dc'] = unicode(result.pdc_dns_name)
td.info['name'] = unicode(result.dns_domain)
From db9bff4ecc184f359b858119ba5e8cfc9c8a635f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
ipaserver/plugins/trust.py | 38 +++---
1 file changed, 7 insertions(+), 31 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
