The branch, master has been updated via 1f823424418 python:gp: Improve working of log messages to avoid confusion via 367756b85a9 python:gp: Log an error if update fails via 98dc44286ea python:gp: Do not print an error if template already exists via 728757cd1ff python:gp: Do not print an error, if CA already exists via 6d5507e0505 python:gp: Improve logging for certificate enrollment via 6a9630eff62 python:gp: Avoid path check for cepces-submit from 6e6d8384f36 vfs_ceph: Use ceph_fdopendir() when available for SMB_VFS_FDOPENDIR
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1f823424418e814d9dc0785658e2a7d92643dab2 Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 15:46:24 2024 +0100 python:gp: Improve working of log messages to avoid confusion We should not use the word "Failed". We are totally fine if we can't connect to NDES in the meantime. This logs: Try to get root or server certificates. Unable to install root certificates (requires NDES). Installing the server certificate only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224 commit 367756b85a9ac8daaac2326392bcd1373feed3b7 Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 15:05:24 2024 +0100 python:gp: Log an error if update fails BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> commit 98dc44286ea102ef7701ccdea26bbde32b523a7e Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 15:05:02 2024 +0100 python:gp: Do not print an error if template already exists We will get an exit status for duplicate in future: https://www.pagure.io/certmonger/issue/269 We can't really fix that right now, as older version of certmonger don't support the `-v` option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> commit 728757cd1ff0465967fcbda100254c9312e87c93 Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 15:04:36 2024 +0100 python:gp: Do not print an error, if CA already exists We will get an exit status for duplicate in future: https://www.pagure.io/certmonger/issue/269 We can't really fix that right now, as older version of certmonger don't support the `-v` option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87 Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 14:07:47 2024 +0100 python:gp: Improve logging for certificate enrollment BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> commit 6a9630eff624643fd725219775784e68d967d04c Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 22 14:14:30 2024 +0100 python:gp: Avoid path check for cepces-submit find_cepces_submit() uses which(), which returns None if not found. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Reviewed-by: Pavel Filipenský <pfilipen...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/gp/gp_cert_auto_enroll_ext.py | 41 +++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py index 8ba1960efe5..9b743cb7f9b 100644 --- a/python/samba/gp/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py @@ -185,7 +185,7 @@ def find_cepces_submit(): def get_supported_templates(server): cepces_submit = find_cepces_submit() - if not cepces_submit or not os.path.exists(cepces_submit): + if not cepces_submit: log.error('Failed to find cepces-submit') return [] @@ -209,12 +209,10 @@ def getca(ca, url, trust_dir): r = requests.get(url=url, params={'operation': 'GetCACert', 'message': 'CAIdentifier'}) except requests.exceptions.ConnectionError: - log.warn('Failed to establish a new connection') + log.warn('Could not connect to Network Device Enrollment Service.') r = None if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html': - log.warn('Failed to fetch the root certificate chain.') - log.warn('The Network Device Enrollment Service is either not' + - ' installed or not configured.') + log.warn('Unable to fetch root certificates (requires NDES).') if 'cACertificate' in ca: log.warn('Installing the server certificate only.') der_certificate = base64.b64decode(ca['cACertificate']) @@ -274,6 +272,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): """Install the root certificate chain.""" data = dict({'files': [], 'templates': []}, **ca) url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] + + log.info("Try to get root or server certificates") + root_certs = getca(ca, url, trust_dir) data['files'].extend(root_certs) global_trust_dir = find_global_trust_dir() @@ -283,6 +284,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): try: os.symlink(src, dst) data['files'].append(dst) + log.info("Created symlink: %s -> %s" % (src, dst)) except PermissionError: log.warn('Failed to symlink root certificate to the' ' admin trust anchors') @@ -295,13 +297,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): # already exists. Ignore the FileExistsError. Preserve the # existing symlink in the unapply data. data['files'].append(dst) + update = update_ca_command() + log.info("Running %s" % (update)) if update is not None: - Popen([update]).wait() + ret = Popen([update]).wait() + if ret != 0: + log.error('Failed to run %s' % (update)) + # Setup Certificate Auto Enrollment getcert = which('getcert') cepces_submit = find_cepces_submit() - if getcert is not None and os.path.exists(cepces_submit): + if getcert is not None and cepces_submit is not None: p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e', '%s --server=%s --auth=%s' % (cepces_submit, ca['hostname'], auth)], @@ -309,8 +316,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): out, err = p.communicate() log.debug(out.decode()) if p.returncode != 0: - data = { 'Error': err.decode(), 'CA': ca['name'] } - log.error('Failed to add Certificate Authority', data) + if p.returncode == 2: + log.info('The CA [%s] already exists' % ca['name']) + else: + data = {'Error': err.decode(), 'CA': ca['name']} + log.error('Failed to add Certificate Authority', data) + supported_templates = get_supported_templates(ca['hostname']) for template in supported_templates: attrs = fetch_template_attrs(ldb, template) @@ -325,12 +336,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): out, err = p.communicate() log.debug(out.decode()) if p.returncode != 0: - data = { 'Error': err.decode(), 'Certificate': nickname } - log.error('Failed to request certificate', data) + if p.returncode == 2: + log.info('The template [%s] already exists' % (nickname)) + else: + data = {'Error': err.decode(), 'Certificate': nickname} + log.error('Failed to request certificate', data) + data['files'].extend([keyfile, certfile]) data['templates'].append(nickname) if update is not None: - Popen([update]).wait() + ret = Popen([update]).wait() + if ret != 0: + log.error('Failed to run %s' % (update)) else: log.warn('certmonger and cepces must be installed for ' + 'certificate auto enrollment to work') -- Samba Shared Repository