On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote:
> On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote:
> > On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> > > On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> > > > Hi Martin!
> > > >
> > > > On Thu, 12 Apr 2012, Martin Kosek wrote:
> > > ...
> > > > >3) I would not try to import ipaserver.dcerpc every time the command is
> > > > >executed:
> > > > >+ try:
> > > > >+ import ipaserver.dcerpc
> > > > >+ except Exception, e:
> > > > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > > > >+ reason=_('Cannot perform join operation without
> > > > >Samba
> > > > >4 python bindings installed'))
> > > > >
> > > > >I would rather do it once in the beginning and set a flag:
> > > > >
> > > > >try:
> > > > > import ipaserver.dcerpc
> > > > > _bindings_installed = True
> > > > >except Exception:
> > > > > _bindings_installed = False
> > > > >
> > > > >...
> > > > The idea was that this code is only executed on the server. We need to
> > > > differentiate between:
> > > > - running on client
> > > > - running on server, no samba4 python bindings
> > > > - running on server with samba4 python bindings
> > > >
> > > > By making it executed all time you are affecting the client code as
> > > > well while with current approach it only affects server side.
> > >
> > > Across our code base, this situation is currently solved with this
> > > condition:
> > >
> > > if api.env.in_server and api.env.context in ['lite', 'server']:
> > > # try-import block
> > >
> > > >
> > > >
> > > > >+ def execute(self, *keys, **options):
> > > > >+ # Join domain using full credentials and with random trustdom
> > > > >+ # secret (will be generated by the join method)
> > > > >+ trustinstance = None
> > > > >+ if not _bindings_installed:
> > > > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > > > >+ reason=_('Cannot perform join operation without
> > > > >Samba
> > > > >4 python bindings installed'))
> > > > >
> > > > >
> > > > >4) Another import inside a function:
> > > > >+ def arcfour_encrypt(key, data):
> > > > >+ from Crypto.Cipher import ARC4
> > > > >+ c = ARC4.new(key)
> > > > >+ return c.encrypt(data)
> > > > Same here, it is only needed on server side.
> > > >
> > > > Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> > > > push).
> > > >
> > >
> > > Yeah, I would fix in the same way as 3).
> > >
> >
> > I am running another run of test to finish my review of your patches,
> > but I stumbled in 389-ds error when I was installing IPA server from
> > package built from your git tree:
> > git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
> >
> > # rpm -q freeipa-server 389-ds-base
> > freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
> > 389-ds-base-1.2.11-0.1.a1.fc17.x86_64
> > # ipa-server-install -p kokos123 -a kokos123
> > ...
> > [16/18]: issuing RA agent certificate
> > [17/18]: adding RA agent as a trusted user
> > [18/18]: Configure HTTP to proxy connections
> > done configuring pki-cad.
> > Configuring directory server: Estimated time 1 minute
> > [1/35]: creating directory server user
> > [2/35]: creating directory server instance
> > [3/35]: adding default schema
> > [4/35]: enabling memberof plugin
> > [5/35]: enabling referential integrity plugin
> > [6/35]: enabling winsync plugin
> > [7/35]: configuring replication version plugin
> > [8/35]: enabling IPA enrollment plugin
> > [9/35]: enabling ldapi
> > [10/35]: configuring uniqueness plugin
> > [11/35]: configuring uuid plugin
> > [12/35]: configuring modrdn plugin
> > [13/35]: enabling entryUSN plugin
> > [14/35]: configuring lockout plugin
> > [15/35]: creating indices
> > [16/35]: configuring ssl for ds instance
> > [17/35]: configuring certmap.conf
> > [18/35]: configure autobind for root
> > [19/35]: configure new location for managed entries
> > [20/35]: restarting directory server
> > [21/35]: adding default layout
> > [22/35]: adding delegation layout
> > ipa : CRITICAL Failed to load delegation.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
> > non-zero exit status 255
> > [23/35]: adding replication acis
> > ipa : CRITICAL Failed to load replica-acis.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
> > non-zero exit status 255
> > [24/35]: creating container for managed entries
> > ipa : CRITICAL Failed to load managed-entries.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
> > non-zero exit status 255
> > [25/35]: configuring user private groups
> > ipa : CRITICAL Failed to load user_private_groups.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
> > non-zero exit status 255
> > [26/35]: configuring netgroups from hostgroups
> > ipa : CRITICAL Failed to load host_nis_groups.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
> > non-zero exit status 255
> > [27/35]: creating default Sudo bind user
> > ipa : CRITICAL Failed to load sudobind.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
> > non-zero exit status 255
> > [28/35]: creating default Auto Member layout
> > ipa : CRITICAL Failed to load automember.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
> > non-zero exit status 255
> > [29/35]: creating default HBAC rule allow_all
> > ipa : CRITICAL Failed to load default-hbac.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
> > non-zero exit status 255
> > [30/35]: initializing group membership
> > ipa : CRITICAL Failed to load memberof-task.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
> > non-zero exit status 255
> > Unexpected error - see ipaserver-install.log for details:
> > {'desc': "Can't contact LDAP server"}
> >
> >
> > # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
> > [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
> > starting up
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> > cipher AES in backend userRoot, attempting to create one...
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
> > generated and stored
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> > cipher 3DES in backend userRoot, attempting to create one...
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
> > successfully generated and stored
> > [20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All
> > Interfaces port 389 for LDAP requests
> > [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
> > LDAPS requests
> > [20/Apr/2012:02:19:16 -0400] - Listening
> > on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
> > [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
> > Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
> > Templates found, which should be added before the CoS Definition.
> > [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
> > the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
> > resolve a deadlock (-30993)
> >
> > Martin
> >
>
> I reproduced this issue even on another clean VM, I filed a BZ for that:
> https://bugzilla.redhat.com/show_bug.cgi?id=816590
>
> Martin
>
With the development version of the fix for DS issue, I was able to
continue with the review. I found the following issues:
1) You add cifs s4u2proxy record twice. This leads to an error message
during ipa-adtrust-install:
# ipa-server-install --setup-dns
# ipa-adtrust-install
...
[6/13]: setting password for the samba user
[7/13]: adding cifs Kerberos principal
ipa : CRITICAL Failed to add key for
cifs/vm-109.idm.lab.bos.redhat....@idm.lab.bos.redhat.com
[8/13]: adding admin(group) SIDs
[9/13]: activating CLDAP plugin
...
2) Typo in ipa-adtrust-install info text:
Additionally you have to make sure the FreeIPA LDAP server cannot
reached
by any domain controller in the Active Directory domain by closing the
s/reached/cannot be reached/
3) Another s4u2proxy error in ipa-replica-install:
# ipa-replica-install INFO_FILE
...
[20/30]: restarting directory server
[21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[22/30]: adding replication acis
[23/30]: setting Auto Member configuration
[24/30]: enabling S4U2Proxy delegation
ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command
'/usr/bin/ldapmodify -h vm-098.idm.lab.bos.redhat.com -v
-f /tmp/tmpGFqASL -x -D cn=Directory Manager -y /tmp/tmpBuxVf4' returned
non-zero exit status 247
[25/30]: initializing group membership
This is an error from ipareplica-install log:
2012-05-03T14:54:05Z DEBUG args=/usr/bin/ldapmodify -h
vm-098.idm.lab.bos.redhat.com -v -f /tmp/ tmpGFqASL -x -D
cn=Directory Manager -y /tmp/tmpBuxVf4
2012-05-03T14:54:05Z DEBUG stdout=
2012-05-03T14:54:05Z DEBUG
stderr=ldap_initialize( ldap://vm-098.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"
4) When I run ipa-adtrust-install on the replica, I received the same
error as in 1)
5) Removal of cifs S4U2Proxy records does not work because the removal
code does not specify the right service name (s/ldap/cifs):
dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica,
realm=realm)
6) I miss some help or examples in trust help:
# ipa help trust
Manage trust relationship between realms
Topic commands:
But I suppose it can be added as an enhancement later.
This is all for now, I don't have an environment to test the trusts
itselves. But fixing these basic issues should be sufficient for us to
be able to at least push this work to master.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
