Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On 02/12/2013 04:48 PM, Alexander Bokovoy wrote: On Fri, 01 Feb 2013, Martin Kosek wrote: On 01/31/2013 07:06 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Thanks! I have only small addition: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True ... to make the text of warning consistent it would be good to add + else: + print Unattended mode was selected, installer will *not* run ipa-sidgen task! And here is the updated patch. ACK. I actually tested it already with other patches just forgot to reply to this email. Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 From bd6512628d83d1f4bdfc9f414689c8a67bd01c7c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 42 +-- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..e127fd63e9a43b2630325d1fc3aa645f2ef8951a 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,42 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.unattended and not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +try: +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=api.env.basedn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of entries that needs a SID generation: +print %s % e +else: +object_count = len(entries) +if object_count 0: +print +print %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Martin From dca4904b06956c191dbe23a0580561c35a81d11f Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 46 ++- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..2f7480447be8007ef2f136cbab5ff0f8a47df7cb 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,46 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +base_dn = api.env.basedn +try: +root_logger.debug(Searching for objects with missing SID with +filter=%s, base_dn=%s, filter, base_dn) +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=base_dn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of objects that need a SID identifier assigned: +print unicode(e) +else: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True + +if not options.unattended: +print +print The following operations may take some minutes to complete. +print Please wait until the prompt is returned. +print + smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = service.ENABLED -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Thanks! I have only small addition: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True ... to make the text of warning consistent it would be good to add + else: + print Unattended mode was selected, installer will *not* run ipa-sidgen task! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On 01/31/2013 07:06 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Thanks! I have only small addition: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True ... to make the text of warning consistent it would be good to add + else: + print Unattended mode was selected, installer will *not* run ipa-sidgen task! And here is the updated patch. Martin From 83dd0656ce61416412d0540ebe3ec332b353d221 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 48 ++- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..9759ee5c7f996685e04ad0a90da05804392ec1e9 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,48 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +base_dn = api.env.basedn +try: +root_logger.debug(Searching for objects with missing SID with +filter=%s, base_dn=%s, filter, base_dn) +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=base_dn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of objects that need a SID identifier assigned: +print unicode(e) +else: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if options.unattended: +print Unattended mode was
