On 05/03/2012 08:18 AM, Martin Kosek wrote:
On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote:
On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote:
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
Hi Martin!
On Thu, 12 Apr 2012, Martin Kosek wrote:
...
3) I would not try to import ipaserver.dcerpc every time the command is
executed:
+ try:
+ import ipaserver.dcerpc
+ except Exception, e:
+ raise errors.NotFound(name=_('AD Trust setup'),
+ reason=_('Cannot perform join operation without Samba
4 python bindings installed'))
I would rather do it once in the beginning and set a flag:
try:
import ipaserver.dcerpc
_bindings_installed = True
except Exception:
_bindings_installed = False
...
The idea was that this code is only executed on the server. We need to
differentiate between:
- running on client
- running on server, no samba4 python bindings
- running on server with samba4 python bindings
By making it executed all time you are affecting the client code as
well while with current approach it only affects server side.
Across our code base, this situation is currently solved with this
condition:
if api.env.in_server and api.env.context in ['lite', 'server']:
# try-import block
+ def execute(self, *keys, **options):
+ # Join domain using full credentials and with random trustdom
+ # secret (will be generated by the join method)
+ trustinstance = None
+ if not _bindings_installed:
+ raise errors.NotFound(name=_('AD Trust setup'),
+ reason=_('Cannot perform join operation without Samba
4 python bindings installed'))
4) Another import inside a function:
+ def arcfour_encrypt(key, data):
+ from Crypto.Cipher import ARC4
+ c = ARC4.new(key)
+ return c.encrypt(data)
Same here, it is only needed on server side.
Let us get consensus over 3) and 4) and I'll fix patches altogether (and
push).
Yeah, I would fix in the same way as 3).
I am running another run of test to finish my review of your patches,
but I stumbled in 389-ds error when I was installing IPA server from
package built from your git tree:
git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
# rpm -q freeipa-server 389-ds-base
freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
389-ds-base-1.2.11-0.1.a1.fc17.x86_64
# ipa-server-install -p kokos123 -a kokos123
...
[16/18]: issuing RA agent certificate
[17/18]: adding RA agent as a trusted user
[18/18]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling referential integrity plugin
[6/35]: enabling winsync plugin
[7/35]: configuring replication version plugin
[8/35]: enabling IPA enrollment plugin
[9/35]: enabling ldapi
[10/35]: configuring uniqueness plugin
[11/35]: configuring uuid plugin
[12/35]: configuring modrdn plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: configuring ssl for ds instance
[17/35]: configuring certmap.conf
[18/35]: configure autobind for root
[19/35]: configure new location for managed entries
[20/35]: restarting directory server
[21/35]: adding default layout
[22/35]: adding delegation layout
ipa : CRITICAL Failed to load delegation.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
non-zero exit status 255
[23/35]: adding replication acis
ipa : CRITICAL Failed to load replica-acis.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
non-zero exit status 255
[24/35]: creating container for managed entries
ipa : CRITICAL Failed to load managed-entries.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
non-zero exit status 255
[25/35]: configuring user private groups
ipa : CRITICAL Failed to load user_private_groups.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
non-zero exit status 255
[26/35]: configuring netgroups from hostgroups
ipa : CRITICAL Failed to load host_nis_groups.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
non-zero exit status 255
[27/35]: creating default Sudo bind user
ipa : CRITICAL Failed to load sudobind.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
non-zero exit status 255
[28/35]: creating default Auto Member layout
ipa : CRITICAL Failed to load automember.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
non-zero exit status 255
[29/35]: creating default HBAC rule allow_all
ipa : CRITICAL Failed to load default-hbac.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
non-zero exit status 255
[30/35]: initializing group membership
ipa : CRITICAL Failed to load memberof-task.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
{'desc': "Can't contact LDAP server"}
# tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
[20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
starting up
[20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
cipher AES in backend userRoot, attempting to create one...
[20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
generated and stored
[20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
cipher 3DES in backend userRoot, attempting to create one...
[20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
successfully generated and stored
[20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[20/Apr/2012:02:19:16 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
resolve a deadlock (-30993)
Martin
I reproduced this issue even on another clean VM, I filed a BZ for that:
https://bugzilla.redhat.com/show_bug.cgi?id=816590
Martin
With the development version of the fix for DS issue, I was able to
continue with the review. I found the following issues:
Please start using 389-ds-base-1.2.11.1-1.fc17, which is in testing
now. Karma would be much appreciated.
1) You add cifs s4u2proxy record twice. This leads to an error message
during ipa-adtrust-install:
# ipa-server-install --setup-dns
# ipa-adtrust-install
...
[6/13]: setting password for the samba user
[7/13]: adding cifs Kerberos principal
ipa : CRITICAL Failed to add key for
cifs/vm-109.idm.lab.bos.redhat....@idm.lab.bos.redhat.com
[8/13]: adding admin(group) SIDs
[9/13]: activating CLDAP plugin
...
2) Typo in ipa-adtrust-install info text:
Additionally you have to make sure the FreeIPA LDAP server cannot
reached
by any domain controller in the Active Directory domain by closing the
s/reached/cannot be reached/
3) Another s4u2proxy error in ipa-replica-install:
# ipa-replica-install INFO_FILE
...
[20/30]: restarting directory server
[21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[22/30]: adding replication acis
[23/30]: setting Auto Member configuration
[24/30]: enabling S4U2Proxy delegation
ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command
'/usr/bin/ldapmodify -h vm-098.idm.lab.bos.redhat.com -v
-f /tmp/tmpGFqASL -x -D cn=Directory Manager -y /tmp/tmpBuxVf4' returned
non-zero exit status 247
[25/30]: initializing group membership
This is an error from ipareplica-install log:
2012-05-03T14:54:05Z DEBUG args=/usr/bin/ldapmodify -h
vm-098.idm.lab.bos.redhat.com -v -f /tmp/ tmpGFqASL -x -D
cn=Directory Manager -y /tmp/tmpBuxVf4
2012-05-03T14:54:05Z DEBUG stdout=
2012-05-03T14:54:05Z DEBUG
stderr=ldap_initialize( ldap://vm-098.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"
4) When I run ipa-adtrust-install on the replica, I received the same
error as in 1)
5) Removal of cifs S4U2Proxy records does not work because the removal
code does not specify the right service name (s/ldap/cifs):
dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica,
realm=realm)
6) I miss some help or examples in trust help:
# ipa help trust
Manage trust relationship between realms
Topic commands:
But I suppose it can be added as an enhancement later.
This is all for now, I don't have an environment to test the trusts
itselves. But fixing these basic issues should be sufficient for us to
be able to at least push this work to master.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
