On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote: > On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote: > > On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote: > > > Hi Martin! > > > > > > On Thu, 12 Apr 2012, Martin Kosek wrote: > > ... > > > >3) I would not try to import ipaserver.dcerpc every time the command is > > > >executed: > > > >+ try: > > > >+ import ipaserver.dcerpc > > > >+ except Exception, e: > > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > > >+ reason=_('Cannot perform join operation without Samba > > > >4 python bindings installed')) > > > > > > > >I would rather do it once in the beginning and set a flag: > > > > > > > >try: > > > > import ipaserver.dcerpc > > > > _bindings_installed = True > > > >except Exception: > > > > _bindings_installed = False > > > > > > > >... > > > The idea was that this code is only executed on the server. We need to > > > differentiate between: > > > - running on client > > > - running on server, no samba4 python bindings > > > - running on server with samba4 python bindings > > > > > > By making it executed all time you are affecting the client code as > > > well while with current approach it only affects server side. > > > > Across our code base, this situation is currently solved with this > > condition: > > > > if api.env.in_server and api.env.context in ['lite', 'server']: > > # try-import block > > > > > > > > > > > >+ def execute(self, *keys, **options): > > > >+ # Join domain using full credentials and with random trustdom > > > >+ # secret (will be generated by the join method) > > > >+ trustinstance = None > > > >+ if not _bindings_installed: > > > >+ raise errors.NotFound(name=_('AD Trust setup'), > > > >+ reason=_('Cannot perform join operation without Samba > > > >4 python bindings installed')) > > > > > > > > > > > >4) Another import inside a function: > > > >+ def arcfour_encrypt(key, data): > > > >+ from Crypto.Cipher import ARC4 > > > >+ c = ARC4.new(key) > > > >+ return c.encrypt(data) > > > Same here, it is only needed on server side. > > > > > > Let us get consensus over 3) and 4) and I'll fix patches altogether (and > > > push). > > > > > > > Yeah, I would fix in the same way as 3). > > > > I am running another run of test to finish my review of your patches, > but I stumbled in 389-ds error when I was installing IPA server from > package built from your git tree: > git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git > > # rpm -q freeipa-server 389-ds-base > freeipa-server-2.99.0GITc30f375-0.fc17.x86_64 > 389-ds-base-1.2.11-0.1.a1.fc17.x86_64 > # ipa-server-install -p kokos123 -a kokos123 > ... > [16/18]: issuing RA agent certificate > [17/18]: adding RA agent as a trusted user > [18/18]: Configure HTTP to proxy connections > done configuring pki-cad. > Configuring directory server: Estimated time 1 minute > [1/35]: creating directory server user > [2/35]: creating directory server instance > [3/35]: adding default schema > [4/35]: enabling memberof plugin > [5/35]: enabling referential integrity plugin > [6/35]: enabling winsync plugin > [7/35]: configuring replication version plugin > [8/35]: enabling IPA enrollment plugin > [9/35]: enabling ldapi > [10/35]: configuring uniqueness plugin > [11/35]: configuring uuid plugin > [12/35]: configuring modrdn plugin > [13/35]: enabling entryUSN plugin > [14/35]: configuring lockout plugin > [15/35]: creating indices > [16/35]: configuring ssl for ds instance > [17/35]: configuring certmap.conf > [18/35]: configure autobind for root > [19/35]: configure new location for managed entries > [20/35]: restarting directory server > [21/35]: adding default layout > [22/35]: adding delegation layout > ipa : CRITICAL Failed to load delegation.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned > non-zero exit status 255 > [23/35]: adding replication acis > ipa : CRITICAL Failed to load replica-acis.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned > non-zero exit status 255 > [24/35]: creating container for managed entries > ipa : CRITICAL Failed to load managed-entries.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned > non-zero exit status 255 > [25/35]: configuring user private groups > ipa : CRITICAL Failed to load user_private_groups.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned > non-zero exit status 255 > [26/35]: configuring netgroups from hostgroups > ipa : CRITICAL Failed to load host_nis_groups.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned > non-zero exit status 255 > [27/35]: creating default Sudo bind user > ipa : CRITICAL Failed to load sudobind.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned > non-zero exit status 255 > [28/35]: creating default Auto Member layout > ipa : CRITICAL Failed to load automember.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned > non-zero exit status 255 > [29/35]: creating default HBAC rule allow_all > ipa : CRITICAL Failed to load default-hbac.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned > non-zero exit status 255 > [30/35]: initializing group membership > ipa : CRITICAL Failed to load memberof-task.ldif: Command > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v > -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned > non-zero exit status 255 > Unexpected error - see ipaserver-install.log for details: > {'desc': "Can't contact LDAP server"} > > > # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors > [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135 > starting up > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for > cipher AES in backend userRoot, attempting to create one... > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully > generated and stored > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for > cipher 3DES in backend userRoot, attempting to create one... > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES > successfully generated and stored > [20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Apr/2012:02:19:16 -0400] - Listening > on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests > [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS > Templates found, which should be added before the CoS Definition. > [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding > the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to > resolve a deadlock (-30993) > > Martin >
I reproduced this issue even on another clean VM, I filed a BZ for that: https://bugzilla.redhat.com/show_bug.cgi?id=816590 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel